Comment by udev4096
2 days ago
> allow 192.168.3.0/24;
Can't an attacker spoof an IP and do SSRF? Or is nginx too good at detecting those kinds of attacks?
2 days ago
> allow 192.168.3.0/24;
Can't an attacker spoof an IP and do SSRF? Or is nginx too good at detecting those kinds of attacks?
I think the attacker won't be able to complete a TCP handshake if spoofing an IP, because the return packets won't be routed to the attacker.
The attacker would have to be on the local network, in which case the attacker isn't really bypassing the allow rule, because the allow rule is intended to allow anyone on the local netowkr.