Server-Side Request Forgery (SSRF) Prevention

SSRF vulnerabilities allow attackers to make requests from the server to internal resources. Common in reverse proxy configurations:

Vulnerable configuration:

# VULNERABLE - DO NOT USE
location /proxy {
    # Accepts any URL from user input
    proxy_pass $arg_url;
}

Secure SSRF prevention:

# Secure proxy configuration
map $arg_target $proxy_url {
    default "";
    "service1" "http://internal-service1.local:8080";
    "service2" "http://internal-service2.local:8080";
}

server {
    location /proxy {
        # Validate target parameter
        if ($proxy_url = "") {
            return 400 "Invalid target";
        }
        
        # Additional validation
        if ($arg_target !~ ^(service1|service2)$) {
            return 403;
        }
        
        # Set security headers
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        # Prevent open redirect
        proxy_redirect off;
        
        # Use validated URL
        proxy_pass $proxy_url$request_uri;
        
        # Timeout settings
        proxy_connect_timeout 5s;
        proxy_send_timeout 10s;
        proxy_read_timeout 10s;
    }
}