Welcome! Log In Create A New Profile

Re: Questions about proxy_pass and internal directives

Forum List Message List New Topic Print View

Reinis Rozitis

October 18, 2012 09:34PM

> I use "internal" directive to block direct access to anything
> "/foo/bar/,,,", which seems to be what nginx is doing. At the same time, I
> proxy_pass the request to the backend application server to check for
> permissions. If success, the backend server sends a 'X-Accel-Redirect'
> header back to nginx to serve the file.
> I may need to rethink my design here. Ideally, I want users who request
> "/foo/bar/sth" in their browsers get served by nginx with the file
> "/foo/bar/sth/sth.html", while letting the backend application server
> control the access to the file.

Well then you are doing it generally right, the only tricky part to
innitially understand is using different location blocks - one for the
proxy_pass and one for the protected files.
The example is shown also in the XSendfile wiki page.

- To really protect the files while not necessary you should keep them out
of the default webroot.
- First you define the location you will be using as URLs on your website
(there is no need for such directories or files to actually exist as all the
requests will be sent to the backend for it to decide what to do next).

location /foo/bar {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
}

- Second you define the location what will be used in the X-Accel-Redirect
header sent from the backend server.

location /protected/ {
internal;
root /data/files;
#or alias /data/files/; - in case you want to leave the '/protected'
out of your physical data path.
}

1. Now if you request mysite.com/foo/bar/sth.html the request is sent the to
backend ( http://127.0.0.1:8080/foo/bar/sth.html )
2. If the download is allowed (whatever logic the application implements)
backend should respond with X-Accel-Redirect: /protected/foo/bar/sth.html
( you can change the directory tree or even the resulting file names as you
wish / the only requirement is to leave the defined internal path (in this
case '/protected').
3. Depending on what you used ('root' or 'alias') in the protected location
block a file from /data/files/protected/foo/bar/sth.html or
/data/files/foo/bar/sth.html will be served by nginx.
4 .Even if people discover the backend url or the X-Accel-Redirect header
there is no way for them to acess the files directly since
mysite.com/protected/foo/bar/sth.html wont work for them.

rr

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Questions about proxy_pass and internal directives	mrtn	October 18, 2012 03:28PM
Re: Questions about proxy_pass and internal directives	mrtn	October 18, 2012 03:54PM
Re: Questions about proxy_pass and internal directives	VBart	October 18, 2012 04:24PM
Re: Questions about proxy_pass and internal directives	mrtn	October 18, 2012 04:32PM
Re: Questions about proxy_pass and internal directives	Reinis Rozitis	October 18, 2012 04:56PM
Re: Questions about proxy_pass and internal directives	mrtn	October 18, 2012 06:18PM
Re: Questions about proxy_pass and internal directives	mrtn	October 18, 2012 06:48PM
Re: Questions about proxy_pass and internal directives	Reinis Rozitis	October 18, 2012 07:38PM
Re: Questions about proxy_pass and internal directives	mrtn	October 18, 2012 08:08PM
Re: Questions about proxy_pass and internal directives	mrtn	October 18, 2012 08:38PM
Re: Questions about proxy_pass and internal directives	VBart	October 18, 2012 08:40PM
Re: Questions about proxy_pass and internal directives	Reinis Rozitis	October 18, 2012 09:34PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

ZiqianXu

Guests: 306

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018