I don't think the above code works (nginx doesn't like &&). I've been playing around with using this on my test site, and so far, it seems to be working:JDunphy wrote: ↑Wed Oct 09, 2024 4:51 pm Can we do something like this at the nginx level and restart the proxy until we can test and deploy this recent patch that may have non security related updates.Code: Select all
location ~* /(service|principals|dav|\.well-known|home|octopus|shf|user|certauth|spnegoauth|(zimbra/home)|(zimbra/user))/ { # ZBUG-2706 Memcached poisoning with unauthenticated request if ($request_uri ~* "%0A|%0D") { return 403; } #%%% tmp until patch can be tested? if ($request_uri ~* "graphql" && $request_method = GET) { return 403; }
Code: Select all
#%%% tmp until patch 10.0.10 can be tested
set $and 1;
if ($request_uri !~* "graphql") {
set $and 0;
}
if ($request_method != GET) {
set $and 0;
}
if ($and) {
return 403;
}
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template
-Aaron