Questions about proxy_pass and internal directives

Fri Oct 19 01:32:38 UTC 2012

> I use "internal" directive to block direct access to anything 
> "/foo/bar/,,,", which seems to be what nginx is doing. At the same time, I 
> proxy_pass the request to the backend application server to check for 
> permissions. If success, the backend server sends a 'X-Accel-Redirect' 
> header back to nginx to serve the file.
> I may need to rethink my design here. Ideally, I want users who request 
> "/foo/bar/sth" in their browsers get served by nginx with the file 
> "/foo/bar/sth/sth.html", while letting the backend application server 
> control the access to the file.

Well then you are doing it generally right, the only tricky part to 
innitially understand is using different location blocks - one for the 
proxy_pass and one for the protected files.
The example is shown also in the XSendfile wiki page.

- To really protect the files while not necessary you should keep them out 
of the default webroot.
- First you define the location you will be using as URLs on your website 
(there is no need for such directories or files to actually exist as all the 
requests will be sent to the backend for it to decide what to do next).

location /foo/bar {
                proxy_pass              http://127.0.0.1:8080;
                proxy_redirect         off;
}

- Second you define the location what will be used in the X-Accel-Redirect 
header sent from the backend server.

location /protected/ {
    internal;
    root /data/files;
    #or alias  /data/files/; - in case you want to leave the '/protected' 
out of your physical data path.
}

1. Now if you request mysite.com/foo/bar/sth.html the request is sent the to 
backend (   http://127.0.0.1:8080/foo/bar/sth.html )
2. If the download is allowed (whatever logic the application implements) 
backend should respond with X-Accel-Redirect: /protected/foo/bar/sth.html 
( you can change the directory tree or even the resulting file names as you 
wish / the only requirement is to leave the defined internal path (in this 
case '/protected').
3. Depending on what you used ('root' or 'alias') in the protected location 
block a file from /data/files/protected/foo/bar/sth.html  or 
/data/files/foo/bar/sth.html  will be served by nginx.
4 .Even if people discover the backend url or the  X-Accel-Redirect header 
there is no way for them to acess the files directly since 
mysite.com/protected/foo/bar/sth.html wont work for them.

rr 