Allow internal redirect to URI x, but deny external request for x?
Francis Daly
francis at daoine.org
Sat Aug 31 20:50:45 UTC 2019
On Sat, Aug 31, 2019 at 09:10:09AM -0500, J. Lewis Muir wrote:
> On 08/31, Francis Daly wrote:
Hi there,
> > * starts with /my-app/current/ -> reject
> > * starts with /my-app/releases/ -> reject
Actually -- those two "rejects" should not be needed.
The app probably should not be installed in the general nginx document
root directory. The "alias" mentioning the "app/current" directory means
that that is the only part that nginx will try to serve files from. The
"root" mentioning the "app/current" directory means that that is the only
part that nginx will look in (try_files) and mention to the fastcgi server
(fastcgi_param).
So the "app/releases" directory will not be web-accessible; and the
"app/current" directory will only be accessible by the explicit url that
you define.
So the full config should be of the form
location ^~ /app-url/ {
alias /active-app-dir/;
location ~ \.php(/|$) {
root /active-app-dir;
fastcgi_split_path_info ^/app-url(/.*?php)($|/.*);
try_files $fastcgi_script_name =404;
include fastcgi.conf;
fastcgi_pass unix:php.sock;
}
}
Adjust regexes based on what you want.
"app-url" can be "my-app". "/active-app-dir" can be "/opt/app/releases/3"
or "/opt/my-app/current" or anything else.
> I changed the root directive to come before the fastcgi_split_path_info,
> but that was just aesthetic; it worked fine the other way
> too.
Yes. For many directives in nginx, the order in the config file does
not matter.
("rewrite" module directives use the order. And regex locations use
their order. I think that most others do not. Your fastcgi server might
care about the order that the fastcgi_param directives had, but nginx
does not.)
> Previously, I had the fastcgi_split_path_info call in
> php-fpm-realpath.conf along with the following file-exists check after
Using "realpath" should not affect nginx at all. nginx invites the
fastcgi server to use pathname2 instead of pathname1; so the fastcgi
server is the only thing that should care.
> For my current app, it doesn't use those URIs, so it's not a problem,
> but as a general scheme, it's not perfect. I think one solution would
> be to move the app root directory to a different name so that it can't
> conflict. For example, have it live at
>
> /srv/www/my-app-deployment
As above -- that shouldn't matter. If the app is not deployed in the web
server document root, only the specific alias/root directory is accessible,
and the entire url-space below that is available.
(And you can have one url prefix /my-app/, and a separate url prefix
/my-app-prev/, which uses the next most recent version. Restrict access
to that location{} to your source IP address, and you can do regression
testing between the two.)
> or something like that. Then I could just return a 404 for any request
> on that, e.g.:
>
> location ^~ /my-app-deployment/ {
> return 404;
> }
If you don't want nginx to serve content from the my-app-deployment
directory, it is probably easier for it to be somewhere other than
/srv/www.
It is hard to misconfigure nginx in that case.
Cheers,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list