Welcome! Log In Create A New Profile

Advanced

Re: Questions about proxy_pass and internal directives

Reinis Rozitis
October 18, 2012 09:34PM
> I use "internal" directive to block direct access to anything
> "/foo/bar/,,,", which seems to be what nginx is doing. At the same time, I
> proxy_pass the request to the backend application server to check for
> permissions. If success, the backend server sends a 'X-Accel-Redirect'
> header back to nginx to serve the file.
> I may need to rethink my design here. Ideally, I want users who request
> "/foo/bar/sth" in their browsers get served by nginx with the file
> "/foo/bar/sth/sth.html", while letting the backend application server
> control the access to the file.

Well then you are doing it generally right, the only tricky part to
innitially understand is using different location blocks - one for the
proxy_pass and one for the protected files.
The example is shown also in the XSendfile wiki page.

- To really protect the files while not necessary you should keep them out
of the default webroot.
- First you define the location you will be using as URLs on your website
(there is no need for such directories or files to actually exist as all the
requests will be sent to the backend for it to decide what to do next).

location /foo/bar {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
}


- Second you define the location what will be used in the X-Accel-Redirect
header sent from the backend server.

location /protected/ {
internal;
root /data/files;
#or alias /data/files/; - in case you want to leave the '/protected'
out of your physical data path.
}


1. Now if you request mysite.com/foo/bar/sth.html the request is sent the to
backend ( http://127.0.0.1:8080/foo/bar/sth.html )
2. If the download is allowed (whatever logic the application implements)
backend should respond with X-Accel-Redirect: /protected/foo/bar/sth.html
( you can change the directory tree or even the resulting file names as you
wish / the only requirement is to leave the defined internal path (in this
case '/protected').
3. Depending on what you used ('root' or 'alias') in the protected location
block a file from /data/files/protected/foo/bar/sth.html or
/data/files/foo/bar/sth.html will be served by nginx.
4 .Even if people discover the backend url or the X-Accel-Redirect header
there is no way for them to acess the files directly since
mysite.com/protected/foo/bar/sth.html wont work for them.


rr

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Questions about proxy_pass and internal directives

mrtn October 18, 2012 03:28PM

Re: Questions about proxy_pass and internal directives

mrtn October 18, 2012 03:54PM

Re: Questions about proxy_pass and internal directives

VBart October 18, 2012 04:24PM

Re: Questions about proxy_pass and internal directives

mrtn October 18, 2012 04:32PM

Re: Questions about proxy_pass and internal directives

Reinis Rozitis October 18, 2012 04:56PM

Re: Questions about proxy_pass and internal directives

mrtn October 18, 2012 06:18PM

Re: Questions about proxy_pass and internal directives

mrtn October 18, 2012 06:48PM

Re: Questions about proxy_pass and internal directives

Reinis Rozitis October 18, 2012 07:38PM

Re: Questions about proxy_pass and internal directives

mrtn October 18, 2012 08:08PM

Re: Questions about proxy_pass and internal directives

mrtn October 18, 2012 08:38PM

Re: Questions about proxy_pass and internal directives

VBart October 18, 2012 08:40PM

Re: Questions about proxy_pass and internal directives

Reinis Rozitis October 18, 2012 09:34PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 75
Record Number of Users: 8 on December 15, 2016
Record Number of Guests: 386 on August 02, 2016
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready