• Stars
    star
    148
  • Rank 249,983 (Top 5 %)
  • Language
    C
  • Created almost 15 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Native support for cross-site scripting (XSS) in an nginx

Name

xss-nginx-module - Native cross-site scripting support in nginx

Table of Contents

Synopsis

# accessing /foo?callback=process gives the response
# body "process(...);" (without quotes) where "..."
# is the original response body of the /foo location.
server {
    location /foo {
        # your content handler goes here...

        xss_get on;
        xss_callback_arg 'callback';
        xss_input_types 'application/json'; # default
        xss_output_type 'application/x-javascript'; # default
    }
    ...
}

Description

This module adds cross-site AJAX support to nginx. Currently only cross-site GET is supported. But cross-site POST will be added in the future.

The cross-site GET is currently implemented as JSONP (or "JSON with padding"). See http://en.wikipedia.org/wiki/JSON#JSONP for more details.

Directives

Back to TOC

xss_get

syntax: xss_get on | off

default: xss_get off

context: http, server, location, if location

Enables JSONP support for GET requests.

Back to TOC

xss_callback_arg

syntax: xss_callback_arg <name>

default: none

context: http, http, location, if location

Specifies the JavaScript callback function name used in the responses.

For example,

location /foo {
    xss_get on;
    xss_callback_arg c;
    ...
}

then

GET /foo?c=blah

returns

blah(...);

Back to TOC

xss_override_status

syntax: xss_override_status on | off

default: xss_check_status on

context: http, server, location, if location

Specifies whether to override 30x, 40x and 50x status to 200 when the response is actually being processed.

Back to TOC

xss_check_status

syntax: xss_check_status on | off

default: xss_check_status on

context: http, server, location, if location

By default, ngx_xss only process responses with the status code 200 or 201.

Back to TOC

xss_input_types

syntax: xss_input_types [mime-type]...

default: xss_input_types application/json

context: http, server, location, if location

Only processes the responses of the specified MIME types.

Example:

xss_input_types application/json text/plain;

Back to TOC

Limitations

  • ngx_xss will not work with ngx_echo's subrequest interfaces, due to the underlying limitations imposed by subrequests' "postponed chain" mechanism in the nginx core. The standard ngx_addition module also falls into this category. You're recommended, however, to use ngx_lua as the content handler to issue subrequests and ngx_xss to do JSONP, because ngx_lua's ngx.location.capture() interface does not utilize the "postponed chain" mechanism, thus getting out of this limitation. We're taking this approach in production and it works great.

Back to TOC

Trouble Shooting

Use the "info" error log level (or lower) to get more diagnostics when things go wrong.

Back to TOC

Installation

You're recommended to install this module (as well as the Nginx core and many other goodies) via the OpenResty bundle. See the detailed instructions for downloading and installing OpenResty into your system. This is the easiest and most safe way to set things up.

Alternatively, you can install this module manually with the Nginx source:

Grab the nginx source code from nginx.org, for example, the version 1.13.6 (see nginx compatibility), and then build the source with this module:

 $ wget 'http://nginx.org/download/nginx-1.13.6.tar.gz'
 $ tar -xzvf nginx-1.13.6.tar.gz
 $ cd nginx-1.13.6/

 # Here we assume you would install you nginx under /opt/nginx/.
 $ ./configure --prefix=/opt/nginx \
     --add-module=/path/to/rds-json-nginx-module

 $ make -j2
 $ make install

Download the latest version of the release tarball of this module from xss-nginx-module file list.

Also, this module is included and enabled by default in the OpenResty bundle.

Back to TOC

Compatibility

The following versions of Nginx should work with this module:

  • 1.13.x (last tested: 1.13.6)
  • 1.12.x
  • 1.11.x (last tested: 1.11.2)
  • 1.10.x
  • 1.9.x (last tested: 1.9.7)
  • 1.8.x
  • 1.7.x (last tested: 1.7.10)
  • 1.6.x
  • 1.5.x
  • 1.4.x (last tested: 1.4.3)
  • 1.2.x (last tested: 1.2.9)
  • 1.0.x (last tested: 1.0.10)
  • 0.9.x (last tested: 0.9.4)
  • 0.8.x (last tested: 0.8.54)
  • 0.7.x >= 0.7.30 (last tested: 0.7.67)

Earlier versions of Nginx like 0.6.x and 0.5.x will not work.

If you find that any particular version of Nginx above 0.7.30 does not work with this module, please consider reporting a bug.

Back to TOC

TODO

  • add cross-site POST support.

Back to TOC

Author

Yichun "agentzh" Zhang (η« δΊ¦ζ˜₯) <agentzh@gmail@com>

Back to TOC

Copyright & License

The implementation of the builtin connection pool has borrowed a lot of code from Maxim Dounin's upstream_keepalive module. This part of code is copyrighted by Maxim Dounin.

This module is licenced under the BSD license.

Copyright (C) 2009-2018 by Yichun "agentzh" Zhang (η« δΊ¦ζ˜₯) <[email protected]> OpenResty Inc.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Back to TOC

See Also

Back to TOC

More Repositories

1

openresty

High Performance Web Platform Based on Nginx and LuaJIT
C
12,431
star
2

lua-nginx-module

Embed the Power of Lua into NGINX HTTP servers
C
11,224
star
3

nginx-tutorials

Nginx Tutorials
Perl
2,864
star
4

lua-resty-redis

Lua redis client driver for the ngx_lua based on the cosocket API
Lua
1,893
star
5

openresty-systemtap-toolkit

Real-time analysis and diagnostics tools for OpenResty (including NGINX, LuaJIT, ngx_lua, and more) based on SystemTap
Perl
1,653
star
6

headers-more-nginx-module

Set, add, and clear arbitrary output headers in NGINX http servers
C
1,636
star
7

openresty.org

Code and data for the openresty.org site
HTML
1,262
star
8

luajit2

OpenResty's Branch of LuaJIT 2
C
1,229
star
9

echo-nginx-module

An Nginx module for bringing the power of "echo", "sleep", "time" and more to Nginx's config file
C
1,162
star
10

docker-openresty

Docker tooling for OpenResty
Dockerfile
934
star
11

redis2-nginx-module

Nginx upstream module for the Redis 2.0 protocol
C
902
star
12

lua-resty-limit-traffic

Lua library for limiting and controlling traffic in OpenResty/ngx_lua
Lua
815
star
13

lua-resty-core

New FFI-based API for lua-nginx-module
Lua
797
star
14

stream-lua-nginx-module

Embed the power of Lua into NGINX TCP/UDP servers
C
723
star
15

lua-resty-mysql

Nonblocking Lua MySQL driver library for ngx_lua or OpenResty
Lua
703
star
16

stapxx

Simple macro language extentions to systemtap
Perl
692
star
17

sregex

A non-backtracking NFA/DFA-based Perl-compatible regex engine matching on large data streams
C
616
star
18

lua-resty-upstream-healthcheck

Health Checker for Nginx Upstream Servers in Pure Lua
Lua
513
star
19

lua-resty-websocket

WebSocket support for the ngx_lua module (and OpenResty)
Lua
503
star
20

lua-upstream-nginx-module

Nginx C module to expose Lua API to ngx_lua for Nginx upstreams
C
499
star
21

srcache-nginx-module

Transparent subrequest-based caching layout for arbitrary nginx locations.
C
474
star
22

opm

OpenResty Package Manager
Lua
458
star
23

test-nginx

Data-driven test scaffold for Nginx C module and OpenResty Lua library development
Perl
438
star
24

lua-resty-lrucache

Lua-land LRU Cache based on LuaJIT FFI
Lua
437
star
25

lua-resty-string

String utilities and common hash functions for ngx_lua and LuaJIT
Lua
426
star
26

lua-resty-upload

Streaming reader and parser for http file uploading based on ngx_lua cosocket
Lua
401
star
27

set-misc-nginx-module

Various set_xxx directives added to nginx's rewrite module (md5/sha1, sql/json quoting, and many more)
C
388
star
28

drizzle-nginx-module

an nginx upstream module that talks to mysql and drizzle by libdrizzle
C
336
star
29

openresty-gdb-utils

GDB Utilities for OpenResty (including Nginx, ngx_lua, LuaJIT, and more)
Python
335
star
30

lua-resty-balancer

A generic consistent hash implementation for OpenResty/Lua
Lua
325
star
31

lua-resty-dns

DNS resolver for the nginx lua module
Lua
321
star
32

programming-openresty

Programming OpenResty Book
Perl
317
star
33

lua-resty-lock

Simple nonblocking lock API for ngx_lua based on shared memory dictionaries
Lua
304
star
34

openresty-devel-utils

Utilities for nginx module development
Perl
266
star
35

resty-cli

Fancy command-line utilities for OpenResty
Perl
263
star
36

replace-filter-nginx-module

Streaming regular expression replacement in response bodies
C
258
star
37

memc-nginx-module

An extended version of the standard memcached module that supports set, add, delete, and many more memcached commands.
C
213
star
38

lua-resty-memcached

Lua memcached client driver for the ngx_lua based on the cosocket API
Lua
210
star
39

encrypted-session-nginx-module

encrypt and decrypt nginx variable values
C
198
star
40

openresty-packaging

Official OpenResty packaging source and scripts for various Linux distributions and other systems
Makefile
176
star
41

rds-json-nginx-module

An nginx output filter that formats Resty DBD Streams generated by ngx_drizzle and others to JSON
C
153
star
42

mockeagain

Mocking ideally slow network that only allows reading and/or writing one byte at a time
C
129
star
43

lua-resty-shell

Lua module for nonblocking system shell command executions
Perl
124
star
44

lua-tablepool

Lua table recycling pools for LuaJIT
Perl
112
star
45

lua-redis-parser

Lua module for parsing raw redis responses
C
93
star
46

openresty-survey

OpenResty Web App for OpenResty User Survey
HTML
90
star
47

lua-ssl-nginx-module

NGINX C module that extends ngx_http_lua_module for enhanced SSL/TLS capabilities
Lua
86
star
48

opsboy

A rule-based sysadmin tool that helps setting up complex environment for blank machines
Perl
85
star
49

no-pool-nginx

replace nginx's pool mechanism with plain malloc & free to help tools like valgrind
Shell
77
star
50

stream-echo-nginx-module

TCP/stream echo module for NGINX (a port of ngx_http_echo_module)
C
69
star
51

meta-lua-nginx-module

Meta Lua Nginx Module supporting both Http Lua Module and Stream Lua Module
C
66
star
52

array-var-nginx-module

Add support for array-typed variables to nginx config files
C
66
star
53

lemplate

OpenResty/Lua template framework implementing Perl's TT2 templating language
Perl
54
star
54

openresty-con

JavaScript
48
star
55

nginx-dtrace

An nginx fork that adds dtrace USDT probes
C
44
star
56

orbpf-ko

The orbpf (eBPF+) Linux kernel module from OpenResty Inc.
C
37
star
57

lua-resty-memcached-shdict

Powerful memcached client with a shdict caching layer and many other features
Lua
33
star
58

lua-resty-signal

Lua library for killing or sending signals to UNIX processes
Perl
32
star
59

lua-resty-shdict-simple

Simple applicaton-oriented interface to the OpenResty shared dictionary API
Perl
32
star
60

luajit2-test-suite

OpenResty's LuaJIT test suite based on Mike Pall's LuaJIT tests
Lua
29
star
61

ngx_postgres

OpenResty's fork of FRiCKLE/ngx_postgres
C
26
star
62

rds-csv-nginx-module

Nginx output filter module to convert Resty-DBD-Streams (RDS) to Comma-Separated Values (CSV)
C
22
star
63

showman-samples

Sample screenplay files for generating our public video tutorials using OpenResty Showman
20
star
64

lua-rds-parser

Resty DBD Stream (RDS) parser for Lua written in C
C
19
star
65

redis-nginx-module

8
star
66

AB-test-http

test http requests between two systems.
Perl
5
star
67

transparency

2
star