Hi,

I'd like to use nginx 1.2.1 as a filtering & caching proxy on my Raspberry Pi. Filtering domain names and URLs is easy but I could not find a way to filter contents by their MIME type.

To be a little bit more specific, I want to deny clients to download or watch multimedia contents (MIME types: audio/*, video/*). In order to achieve this, I created a mapping like this:

map $sent_http_content_type $is_forbidden {
default 0;
"~audio\/.*" 1;
"~video\/.*" 1;
}

I tried various methods to send a 403 forbidden response to the client in case a forbidden content is being downloaded, without any luck.

1. Tried specifying in an if block - which would never work as it turned out that if statements are expanded before the response is received so the variable $sent_http_content_type will always be empty and thus the mapping returns 0:

location / {
if ($is_forbidden = 1) {
return 403;
}

2. Tried using the add_header directive to append a header to the response:

location / {
add_header X-Forbidden $is_forbidden;
}

This works like a charm, I can see on the client that my custom header contains 0 or 1 according to the content's MIME type, yet I can't evaluate the header's value server-side for the same reason as above.

3. Tried creating a second proxy instance to check the value of X-Forbidden there but that also didn't work as expected, I couldn't push the forwarded requests to the destination servers without causing 400 errors - this is likely to be a configration issue although I don't think this solution would be the most appropriate one.

I'm aware that there are several alternatives (eg. Squid 3 has the exact capability I need) but other solutions would need more resources and therefore would run much slower on a small embedded device like my Raspberry Pi.

Please assist me, I'm completely stuck with this.

Thanks,
Gergely



Edited 1 time(s). Last edit at 04/17/2014 02:58PM by kissg1988.

For those who are looking for a working solution: I could solve this by installing a basic squid server and setting up nginx to simply forward requests to squid.

Here's the nginx config I use now:

********************************************************

include proxy_params;

upstream squid {
server 127.0.0.1:3128;
}

# simple forwarding proxy facing the clients
server {
listen 192.168.182.2:80;

location / {
proxy_buffering off;
proxy_pass http://squid;
}
}

********************************************************

To do the filtering based on MIME type, I just had to append these two lines to my squid.conf:

acl deny_rep_mime_types rep_mime_type audio/ video/
http_reply_access deny deny_rep_mime_types



Edited 1 time(s). Last edit at 04/18/2014 05:33PM by kissg1988.

Another important point is that squid must be configured as a transparent (intercepting) proxy for this to work properly and the Host header must be forwarded to squid (that's done by including the proxy_params file).

I've attached my full squid config, just in case someone would need an out-of-the-box solution.