Mitigate ShellShock inline in nginx with ngx_shellshocked

If you're a server administrator, a fair amount of your time has been consumed lately dealing with the ShellShock vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278).


I've gradually moved over to using nginx over Apache httpd as a web hosting platform in the last year.  I've been using it a lot recently as a reverse proxy/cache/SSL offload/SPDY gateway, frontending other nginx or Apache servers.

I stumbled on a new module that attempts to mitigate the ShellShocked vulnerability inline, called ngx_shellshocked courtesy of abedra, over on GitHub.  Installation is fairly simple.

Assuming you've cloned it to /source/ngx_shellshocked, add it to the nginx build with:


./configure --add-module=/source/ngx_shellshocked <other configure options go here>
make
make install

Once you have the module built in to nginx, it's simple enough to enable it.  In the http { } section of your nginx.conf, simply add

shellshocked on;

It will then filter for the signature of ShellShock and log errors to the error log whenever it stops a request.

Of course, this doesn't mean you don't update bash on the backside, but it is a useful arrow in the quiver to counteract a potentially nasty vulnerability.

Let me know your thoughts in the comments below. 


Tags: