[knagy]

That unix domain socket solution sounds really nice. I wonder if it would be possible to send something naughty in the host header (like something with ../../.. in it) to misuse this or nginx does some validation before it reaches the proxy_pass...

I also tried to hack together my own solution [0] just for fun, but I didn't know about the unix socket part, so at the end I went with traefik and redis. :)

[0] https://deadlime.hu/en/2023/10/29/light-at-the-end-of-the-tu...

[0xdade]

I updated the post late last night to address the security bits of the host header. Based on my understanding of nginx documentation and some brief testing, I don't think path traversal in the host header is possible -- nginx throws a 400 instead of a 502, which indicates it isn't making it to the proxy_pass yet. I think the $host variable is basically guaranteed to at least match the server_name regex block by the time it reaches the proxy_pass -- so to further tighten it up, you could only allow alphanumeric characters in your server_name regex.

I just checked out your solution and also learned a new trick about ssh! I didn't know that setting the port to 0 would cause dynamic allocation for the tunnel. It makes sense, I did know about that 0 behavior just in typical linux processes, but never thought to apply it to an ssh tunnel.