Guard websites with a secret handshake [ngx_http_knock_module]

Phillip Taylor (nginx) nginx at
Mon Aug 18 23:50:31 UTC 2014

Hello everyone,

I've written a module for nginx that takes the concept of "Port 
Knocking" and applies it to websites. When you visit an configured nginx 
website, it returns a 404 "page not found" error. However if you go to 
secret urls, even though they all, on the service appear to return 404, 
you are secretly handshaking with nginx. After you've hit the magic 
combination you ip is logged server side, and you're allowed to the 
visit the site (that is, it returns content instead of 404).

The benefits include:
* private websites
* protect login pages against bots and scripts
* protect against zero day exploits
* protect against known exploits if you're slow to defend the site.

The code, documentation and even a link to demonstration youtube video 
is available here:

I contact this mailing list:

* to raise awareness that I have developed it.
* for possibly inclusion on the 3rd Party Modules page for nginx 
* to ask if you would be so kind to provide some code review feedback 
and advice regarding its quality.
* and any other thoughts.

Thank you

Phillip Taylor

More information about the nginx-devel mailing list