Unrestricted access to NGINX+ Status module
Description
NGINX Plus is a commercial web server and load balancer that includes the ngx_http_status_module, which exposes real-time server metrics and status information through a web interface. This module provides detailed operational data including active connections, request statistics, upstream server health, and cache performance metrics. When this status endpoint is accessible without authentication or IP restrictions, unauthorized users can view sensitive information about the server's configuration and performance characteristics.
Remediation
Restrict access to the NGINX Plus status module by implementing IP-based access controls or requiring authentication. Apply one or both of the following methods:
Method 1: IP Address Restriction
Limit access to trusted IP addresses or networks only:
location /status {
status;
allow 192.168.1.0/24; # Allow internal network
allow 10.0.0.5; # Allow specific monitoring server
deny all; # Deny all other access
}Method 2: HTTP Basic Authentication
Require username and password authentication:
location /status {
status;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
}For production environments, combine both methods for defense in depth. Additionally, consider using HTTPS to encrypt status data in transit and regularly review access logs for unauthorized access attempts.