Nginx exposes AWS private ip behind elastic ip

by

**I have an instance with nginx and php-fpm running behind nginx.**

**Our PCI compliance vendor scanned the box and flagged us saying that there is vulnerability that the host exposes private ip address.**

**Question: How do I bind nginx to elastic ip so it'll not never expose private ip?**

**I tried to reproduce this on my own and wasn't able to make nginx to return me private ip. Tried from curl and telnet... Any help appreciated! Thx**

+ Target IP: 52.53.xyz.xyz
+ Target Hostname: host.com
+ Target Port: 443
read R BLOCK**
GET /images HTTP/1.0

HTTP/1.1 301 Moved Permanently
Server: nginx/1.15.9
Date: Wed, 04 Sep 2019 18:04:24 GMT
Content-Type: text/html
Content-Length: 169
_Location: https://172.13.11.47/images/_

**This is my nginx configuration for virtual host where php-fpm is behind**

server {
listen 80;
server_name host.com;
return 301 https://host.com$request_uri;
}

server {
listen 443 ssl http2;
server_name host.com;
....
}

**I see 2 inet interfaces and there is no elastic ip on it.**

[[email protected] conf.d]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:fd:13:08:b9:c2 brd ff:ff:ff:ff:ff:ff
inet 172.13.11.47/20 brd 172.31.14.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe60::4fd:33ff:fe08:b5c2/64 scope link
valid_lft forever preferred_lft forever

4 thoughts on “Nginx exposes AWS private ip behind elastic ip”

  1. you cannot bind nginx to the EIP.

    Check your configs and make sure you redirect using the actual domain and not $host for the return.

    also create a default virtual host to capture all traffic not directed at [host.com](https://host.com) traffic like curl -I http://52.53.xyz.xyz this should give a default page not your site.

    server {

    listen 80;

    server\_name \_;

    root /usr/share/nginx/html;

    }

    Reply

  2. PCI scan vendor uses **nikto** security scanner.

    I was able to reproduce it locally. This is related to HTTP/1.0 request only. And only 443 returns it.

    openssl s\_client -connect host.com:443

    GET /images HTTP/1.0

    Reply

  3. I am running Nginx on AWS as well and do not have the issue. But my HTTPS settings were setup by the Lets Encrypt Certbot and the port 80 redirect looks like this instead:

    server {
    if ($host = host.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name .host.com;
    return 404; # managed by Certbot
    }

    Reply

  4. Thank you all! I was able to solve this issue.

    I found all try\_files lines and removed $uri/ and it helped. Was able to reproduce it with **GET /images HTTP/1.0** request from telnet.

    try\_files $uri $uri/ /$2$3 /$3 /index.php =404

    Reply

Leave a Comment