Hi!
I'm trying to configure nginx as a proxy to external content, and I'm trying to do it in kind of "secure" way. By "secure" I mean that I would like to permit only chosen by me mime-types (images only to be precise), but I can't get to upstream's response headers.
I'm sending an example request:
http://proxy.dot.org/?HOST=kernel.org&SRC=kernel.org/logos/logo70-tran.png
And my config look's like that
server {
listen 192.168.1.1:80;
server_name proxy.dot.org;
resolver 8.8.8.8;
location / {
valid_referers some.domains.org;
if ($invalid_referer) {
return 404;
}
proxy_set_header Host $arg_HOST;
proxy_pass http://$arg_SRC;
if ($http_content_type !~* "image.*") {
return 403;
}
}
In debug log I see that nginx doesn't see Content-type header at the moment I would like it to:
2012/02/07 13:18:01 [notice] 5367#0: *267597259 "image.*" does not match "", client: 192.168.104.11, server: proxy.esky.pl, request: "GET /?HOST=kernel.org&SRC=kernel.org/logos/logo70-tran.png
HTTP/1.1", host: "proxy.dot.org"
For me an excellent variable would be $upstream_http_content-type but it's designed for logging purposes only :(
I'm also aware of that this kind of "protection" shouldn't be called "secure", but well.. better that than nothing :) The best way would be if nginx sent a HEAD request and based on the received header would permit/drop a GET request so it would save some bandwidth but that's wishfull thinking I think ;) The general idea is that I don't want someone to exploit that proxy for evil purposes:)
I would be greatful for any ideas how to solve that problem :)
Best regards,
Rafal Sawer