Matching %ff in Nginx rewrite rules

tollmanz asked:

I have some dubious requests coming into my server that contain %ff and %FF (e.g., /blog/%ffupdates/. I’m getting thousands of these daily and would like to start redirecting them to a 403. I currently have an endpoint that I use to blackhole things like this and would like to rewrite these URLs to point to that endpoint.

Currently, I am trying:

rewrite ^/.*?%ff.*?$ https://domain.com/forbidden permanent;

I fully understand that this might be too greedy of a match; however, I am just trying to get something to work initially.

Now, when I try this and view the debug log, it seems as though %ff is getting converted to (yes, that’s supposed to be the question mark diamond thingy).

For instance, there are things like this in the log:

*4 "^/.*?%ff.*?$" does not match "/blog/�updates/"

It seems that because %ff is converted, I cannot actually match the string.

I’m running Nginx 1.7.1 with SSL and SPDY.

Any thoughts?

My answer:


You should be able to match this by regex. For instance:

location ~ /xff/ {
    return 403;
}

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.