2

When I enter the request URL http://mydomain/url=http://example.com, I want Nginx to return http://example.com, but instead it gives me http:/example.com (one slash is removed).

What’s wrong?

This is my Nginx conf:

location ~ url=(.*)$ {
    return 301 $1;
}
TRiG
  • 10,148
  • 7
  • 57
  • 107
Brock Chen
  • 23
  • 2
  • 1
    Why do people try to invent their own non-standard way to pass parameters? Whats wrong with simple `?url=whatever`? – Alexey Ten Jul 04 '16 at 07:21
  • 2
    Nginx compresses adjacent slashes to one because it's what everyone wants 99.99% of the time. You could disable it with `merge_slashes off;` directive http://nginx.org/r/merge_slashes but there will be consequences, possibly security vulnerabilities. – Alexey Ten Jul 04 '16 at 07:23
  • Did my answer solve your question? If yes, please click the accept button (you'll also gain some points by doing so). – cnst Jul 11 '16 at 17:09
  • @BrockChen, thanks for finally clicking Accept! Have a +1 on me! :-) – cnst Sep 12 '16 at 16:20

1 Answers1

1

In addition to the suggestion of Alexey Ten to use http://nginx.org/r/merge_slashes, which indeed may cause security issues, you can also use the following, which is probably a better approach anyways (if you are aleady set at the URL structure, that is):

location /url= {
    if ($request_uri ~ ^/url=(.*)$) {
        return 301 $1;
    }
    return 403;
}

Another option would be:

location /url=http:/ {
    rewrite ^/url=http:/(.*)$   http://$1;
}

BTW, I would avoid using regular expressions in top-level locations, as it's generally less efficient than using the approaches above, but you can basically do the same thing with your approach as well.

Note, however, that in any case, unconditionally redirecting users to a user-supplied string may itself make your site vulnerable to certain attacks.

cnst
  • 25,870
  • 6
  • 90
  • 122