我正在审核我的春季网络应用程序的安全性并发现了一件奇怪的事情。每当我尝试点击地址https://xxxxxxxxx.xxx/app时,浏览器就会捕获要下载的文档。但是我的REST控制器上没有列出名为“/ app”的API。此外,该文件是空白的。 这是我的请求信息:
GET /app HTTP/1.1
Host: xxxxxxxx.xxx
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NG_TRANSLATE_LANG_KEY=%22en%22; count=0
Connection: close
Upgrade-Insecure-Requests: 1
以下是从服务器发送的响应:
HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Tue, 05 Jun 2018 11:19:01 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: close
Expires: Sun, 05 Jun 2022 11:19:01 GMT
Cache-Control: max-age=126230400000, public
X-XSS-Protection: 1; mode=block
Pragma: cache
Accept-Ranges: bytes
Last-Modified: Fri, 01 Jun 2018 08:50:14 GMT
X-Content-Type-Options: nosniff
X-Application-Context: some-app
每当我从本地系统尝试时,都没有这样的问题。我已经禁用了我的应用程序的目录列表,但问题仍然存在。如果需要任何其他信息,请告诉我。
我的NGINX conf如下:
server {
listen 443 ssl http2;
server_name xxxxxxxx.xxx;
# Configure SSL
ssl_certificate /etc/ssl/certs/nginx/xxxxxx.xxx.chained.crt;
ssl_certificate_key /etc/ssl/certs/nginx/xxxxxxx.key;
include /etc/nginx/includes/ssl.conf;
location / {
include /etc/nginx/includes/proxy.conf;
proxy_pass http://10.210.xx.xx:8080;
}
access_log off;
error_log /var/log/nginx/error.log error;
}