How to do proxy in this case

Francis Daly francis at daoine.org
Wed Jun 7 06:17:29 UTC 2017 

On Tue, Jun 06, 2017 at 09:13:55AM -0400, David Woodstuck wrote:

Hi there,

> I have one proxy server(nginx) - such as nginx.mycom.com and three upstream
> servers - name1.mycom.com, name2.mycom.com name3.mycom.com for my one
> application. Contents from upstream servers have a lot of iframes which
> have different domains. I want to allow XSS for these different domains. I
> don't know how to achieve XSS for this application.

If these different domains are all under your control; and if you
want them to always work together as a single application; then if you
configure things such that the three upstream servers have their content
at different places in the url hierarchy, you can use nginx to simply
reverse-proxy for all three.

The browser will only ever talk to nginx using the server name
nginx.mycom.com, so there is no XSS involved since there is only one S,
and therefore no X.

> For instance, when contents from name1.mycom.com has two iframes that their
> src are name1.mycom.com/content1 and name2.mycom.com/content2, can I do the
> following to achieve XSS?

If you control things, I suggest it would be simpler to have all of the
name1.mycom.com content below /content1; all of the name2.mycom.com
content below content2; and all of the name3.mycom.com content below
/content3.

Then your iframes would not include the server name part, just the
local part -- so your iframes would refer to /content1/ and /content2/
in this case.

Your nginx conf would include fragments like

  location ^~ /content1/ { proxy_pass http://name1.mycom.com; }
  location ^~ /content2/ { proxy_pass http://name2.mycom.com; }
  location ^~ /content3/ { proxy_pass http://name3.mycom.com; }

> (1). replace name1.mycom.com/content1 with nginx.mycom.com/content1
>       replace name2.mycom.com/content1 with nginx.mycom.com/content2
>       add_header for XSS

You would not need to do that in the scheme above, since "name1" and
"name2" should never exist in the content.

> (2). When nginx.mycom.com/content1 request is coming, proxy to
> name1.mycom.com/content1

That part you would do, with the config shown.

>       add_header for XSS

That part you do not need, since there is no XSS.

> (3). When nginx.mycom.com/content2 request is coming, proxy to
> name2.mycom.com/content2
>       add_header for XSS

Same as (2).

> I only have limited knowledge of Nignx. I like to use NginxScript to
> achieve this goal. Can I do it in Nginx. I do appreciate your suggestion
> and some examples.

I would suggest avoiding the need for any kind of content rewriting,
and just keeping the nginx side very simple. Get the overall system
config the way you want it, and it should Just Work.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list