Welcome! Log In Create A New Profile

Advanced

Nginx as a proxy to external content & upstream response header

Posted by rsawer 
Nginx as a proxy to external content & upstream response header
February 07, 2012 07:45AM
Hi!

I'm trying to configure nginx as a proxy to external content, and I'm trying to do it in kind of "secure" way. By "secure" I mean that I would like to permit only chosen by me mime-types (images only to be precise), but I can't get to upstream's response headers.

I'm sending an example request:

http://proxy.dot.org/?HOST=kernel.org&SRC=kernel.org/logos/logo70-tran.png

And my config look's like that

server {
listen 192.168.1.1:80;
server_name proxy.dot.org;
resolver 8.8.8.8;
location / {
valid_referers some.domains.org;

if ($invalid_referer) {
return 404;
}



proxy_set_header Host $arg_HOST;
proxy_pass http://$arg_SRC;

if ($http_content_type !~* "image.*") {
return 403;
}
}

In debug log I see that nginx doesn't see Content-type header at the moment I would like it to:

2012/02/07 13:18:01 [notice] 5367#0: *267597259 "image.*" does not match "", client: 192.168.104.11, server: proxy.esky.pl, request: "GET /?HOST=kernel.org&SRC=kernel.org/logos/logo70-tran.png
HTTP/1.1", host: "proxy.dot.org"

For me an excellent variable would be $upstream_http_content-type but it's designed for logging purposes only :(

I'm also aware of that this kind of "protection" shouldn't be called "secure", but well.. better that than nothing :) The best way would be if nginx sent a HEAD request and based on the received header would permit/drop a GET request so it would save some bandwidth but that's wishfull thinking I think ;) The general idea is that I don't want someone to exploit that proxy for evil purposes:)


I would be greatful for any ideas how to solve that problem :)

Best regards,
Rafal Sawer
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 214
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready