Drupal cron.php access control.

António P. P. Almeida appa at perusio.net
Wed Aug 18 17:08:50 MSD 2010


On 18 Ago 2010 00h49 WEST, mdounin at mdounin.ru wrote:

Hello Maxim,

Thank you for your reply.

> Hello!
>
> On Tue, Aug 17, 2010 at 09:08:53PM +0100, António P. P. Almeida
> wrote:
>
>> Hello,
>>
>> I'm settign an access control for Drupal cron.php that is invoked
>> via a cron job.
>>
>> I tried two approaches and both seem to work
>>
>> 1. Use the Access module and specify the allowed host.
>>
>> location /cron.php {
>> deny all;
>> allow 127.0.0.1;
>> allow 192.168.1.0/24;
>> fastcgi_pass 127.0.0.1:9000;               
>> }
>
> This one will always return 403 due to "deny all" directive listed 
> first.  Order of deny/allow directives is important, first match 
> wins.

It was working because I had created a new git branch and forgot to do
the checkout in the cloned repository in /etc/nginx. My mistake :( 

I assumed that nginx would work like Apache minus the order deny,allow
directive. My reasoning was that first I denied access and then nginx
would parse the remaining directives to see if there are any allowed
addresses.

I noticed that at http://wiki.nginx.org/NginxHttpAccessModule 

In fact the order is *always* allow <some addresses> deny all;

But I'm conditioned by the way Apache access directives work and
assumed it was +/- less the same minus the order directive.

I misunderstood the docs in the wiki. I just edited it trying to make
things more explicit. Lowering the probabilty for this type of mistake
to occur to someone else.

http://wiki.nginx.org/NginxHttpAccessModule#Synopsis

>> 2. Use a conditional.
>>
>> location /cron.php {
>> if ($remote_adrr ~* (192\.168\.1\.(1|2)|127\.0\.0\.1)) {
>> fastcgi_pass 127.0.0.1:9000;
>> }
>> return 404;
>> }
>
> This one will always return 404 (with s/adrr/addr/ typo fix).  
> Probably you mean to add "break" inside "if".

Yes it's a typo. I just wrote instead of cutting & pasting.

> But this isn't recommended aproach, see here for details:
>
> http://wiki.nginx.org/IfIsEvil
>

Yes I did that. Thank you. Currently:

# Restrict cron access to a specific host.
location /cron.php {
         allow 127.0.0.1;
         allow 192.168.1.0/24;
         error_page 403 =404;
         fastcgi_pass 127.0.0.1:9000;
         deny all;
}

Working fine.

> Non-capturing groups work just fine.  It's missed "break" which 
> causes 404, see above.

Yes I have it in other lcations and it's working fine. It was the
missing break. Anyway I dropped the if and followed your suggestion of
employing access rules.

> Maxim Dounin

--- appa




More information about the nginx mailing list