Prevent httpoxy attack

[kravietz]

If proxy module is used, make sure this is set to thwart the httpoxy attack:

proxy_set_header Proxy "";

More detailed discussion at Nginx website: Mitigating the HTTPoxy Vulnerability with NGINX

[rndmh3ro]

Hey @kravietz,

I moved this issue to our nginx-baseline repo, as new hardening-tests are first developed here! Then we will integrate them into the actual hardening repositories.

[chris-rock]

I think it is great to add an option here to verify that the proxy header is set to an empty string. How do we deal with the fact that the value is not always empty?

[kravietz]

@chris-rock any set at the proxy value prevents the attack - the vector only works if it can be set arbitrarily from the HTTP request. So a mere check for presence of proxy_set_header Proxy should be sufficient.

[chris-rock]

@kravietz That is great. Thank you for your explanation. Let us add this to the baseline!