How to ignore alihack requests using your nginx config

October 22, 2014

1–2 minutes

If you are getting the following error in your Rails app:

   unexpected token at 'alihack

…it can be blocked in your nginx config.

The following snippet can be placed inside the server block and returns a ‘400 Bad Request’ with a text message in the body.

A big assumption here is that your app is not using json – it blocks all JSON PUT requests. This could be refined to check for third header that your own app sets, if that is a problem.

You could change this to a redirect or a json response if you want (commented out below).
# ali.txt attempt on any URL
if ($content_type = "application/json") {
set $ali_txt JSON;
}
if ($request_method = PUT) {
set $ali_txt "${ali_txt}_PUT";
}
if ($ali_txt = JSON_PUT) {
return 400 "Bad request - ignoring";
# return 444;
# return 301 http://www.example.com/some-page
}
This should not be placed inside a location block.

5 responses to “How to ignore alihack requests using your nginx config”

Chester

January 7, 2015 at 2:48 pm

Hi! Wouldn't this code block *all* JSON put attempts? If so, this may break legit asynchronous calls.

LikeLike

Reply
Henrik N

January 26, 2015 at 3:14 pm

Doesn't this come with a fairly huge caveat? Looks like it would break all PUT JSON requests, good or bad. If so, it could mess up your APIs, especially since your Rails-level tests would pass but nginx would deny those requests.

LikeLike

Reply
Richard Hulse

February 4, 2015 at 9:15 pm

You are both right – I have updated the post. Thanks.

LikeLike

Reply
Marcos Bellucci

March 30, 2015 at 1:07 pm

we did this:
location /ali.txt {
if ($request_method = PUT ) {
return 400 “Bad request – ignoring”;
}
}

LikeLike

Reply
Delbetu

March 30, 2015 at 1:09 pm

we did this:
location /ali.txt {
if ($request_method = PUT ) {
return 400 “Bad request – ignoring”;
}
}

LikeLike

Reply

Stuff I'M Thinking About