Drupal cron.php access control.
António P. P. Almeida
appa at perusio.net
Wed Aug 18 17:08:50 MSD 2010
On 18 Ago 2010 00h49 WEST, mdounin at mdounin.ru wrote:
Hello Maxim,
Thank you for your reply.
> Hello!
>
> On Tue, Aug 17, 2010 at 09:08:53PM +0100, António P. P. Almeida
> wrote:
>
>> Hello,
>>
>> I'm settign an access control for Drupal cron.php that is invoked
>> via a cron job.
>>
>> I tried two approaches and both seem to work
>>
>> 1. Use the Access module and specify the allowed host.
>>
>> location /cron.php {
>> deny all;
>> allow 127.0.0.1;
>> allow 192.168.1.0/24;
>> fastcgi_pass 127.0.0.1:9000;
>> }
>
> This one will always return 403 due to "deny all" directive listed
> first. Order of deny/allow directives is important, first match
> wins.
It was working because I had created a new git branch and forgot to do
the checkout in the cloned repository in /etc/nginx. My mistake :(
I assumed that nginx would work like Apache minus the order deny,allow
directive. My reasoning was that first I denied access and then nginx
would parse the remaining directives to see if there are any allowed
addresses.
I noticed that at http://wiki.nginx.org/NginxHttpAccessModule
In fact the order is *always* allow <some addresses> deny all;
But I'm conditioned by the way Apache access directives work and
assumed it was +/- less the same minus the order directive.
I misunderstood the docs in the wiki. I just edited it trying to make
things more explicit. Lowering the probabilty for this type of mistake
to occur to someone else.
http://wiki.nginx.org/NginxHttpAccessModule#Synopsis
>> 2. Use a conditional.
>>
>> location /cron.php {
>> if ($remote_adrr ~* (192\.168\.1\.(1|2)|127\.0\.0\.1)) {
>> fastcgi_pass 127.0.0.1:9000;
>> }
>> return 404;
>> }
>
> This one will always return 404 (with s/adrr/addr/ typo fix).
> Probably you mean to add "break" inside "if".
Yes it's a typo. I just wrote instead of cutting & pasting.
> But this isn't recommended aproach, see here for details:
>
> http://wiki.nginx.org/IfIsEvil
>
Yes I did that. Thank you. Currently:
# Restrict cron access to a specific host.
location /cron.php {
allow 127.0.0.1;
allow 192.168.1.0/24;
error_page 403 =404;
fastcgi_pass 127.0.0.1:9000;
deny all;
}
Working fine.
> Non-capturing groups work just fine. It's missed "break" which
> causes 404, see above.
Yes I have it in other lcations and it's working fine. It was the
missing break. Anyway I dropped the if and followed your suggestion of
employing access rules.
> Maxim Dounin
--- appa
More information about the nginx
mailing list