Allow internal redirect to URI x, but deny external request for x?

Ian Hobson hobson42 at gmail.com
Sat Aug 31 14:41:31 UTC 2019


Hi Mark,

On 30/08/19 22:23, lists wrote:
> I've been following this thread not really out of need but rather that it is really interesting. That said, I don't think for security you want to "escape" the web root. The risk is that might aid a traversal attack.
> 
> 
I am curious to know how this might work. Nginx itself is safe, so it 
would have to be a script. And while those may indeed be vulnerable, is 
the vulnerability changed by symlinking the root elsewhere? I don't see 
any difference myself, but perhaps you know something I don't.

Regards

Ian
> 
> 
> 
> 
> 
> 	  Original Message
> 
> 
> 
> From: hobson42 at gmail.com
> Sent: August 30, 2019 12:01 PM
> To: nginx at nginx.org
> Reply-to: nginx at nginx.org
> Subject: Re: Allow internal redirect to URI x, but deny external request for x?
> 
> 
> Hi Lewis,
> 
> On 30/08/19 18:33, J. Lewis Muir wrote:
>> Hello!
>>
>> I'm using nginx 1.12.2 on RHEL 7, and I've got a FastCGI web app that
>> uses a deployment structure which uses an atomic symlink change for an
>> atomic app deploy, and I'm wishing to be able to do an internal redirect
>> in nginx to URL x, but deny an external request to the same URL x so
>> that I don't serve the same content at more than one URL.  Is there a
>> way to do that?
>>
> You could place the different versions away from the root so they cannot
> be obtained from the web. Then they can be served by setting up a
> symlink to the desired version.
> 
> This can be changed using "ln -sfn version/dir serving/root" and then
> restarting nginx to pick up the new version.
> 
> By not using redirects, this method should be more efficient.
> 
> Regards
> 
> Ian
> 
> --
> Ian Hobson
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 

-- 
Ian Hobson
Tel (+351) 910 418 473


More information about the nginx mailing list