Using Nginx to protect against CVE-2015-1635

nginx.conf

# See https://www.nginx.com/blog/nginx-protect-cve-2015-1635/
# Using Nginx to protect against CVE-2015-1635
# Exploit: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

# Identifying and handling reconnaisance traffic
# HTTP requests with a large byte range in the **Range** header trigger the crash:
#
# GET / HTTP/1.1\r\n
# Host: stuff\r\n
# Range: bytes=0-18446744073709551615\r\n
# \r\n

# Simplest fix is to use the proxy_set_header directive to set the Range header to ""
server {
    listen 80;
    location / {
        proxy_set_header Range "";
        proxy_pass http://windowsserver:80;
    }
}

# If your application requires byte-range support, you can use the map directive to replace any string that resembles a large integer with the empty string, before using the **proxy_set_header** directive to set the **Range** header
map $http_range $saferange {
    "~\d{10,}" "";  # if it matches a string of 10 or more integers, remove it
    default $http_range;
}

server {
    listen 80;
    location / {
        proxy_set_header Range $saferange;
        proxy_pass http://windowsserver:80;
    }
}

# Alternatively, you can return HTTP code 444 when the value in the Range header resembles a large integer
# Code 444 instructs NGINX and NGINX Plus to close the client connection immediately without returning anything
server {
    listen 80;

    if ($http_range ~ "\d{9,}") {
        return 444;
    }

    location / {
        proxy_pass http://windowsserver:80;
    }
}