Private location does not work

Payam Chychi pchychi at gmail.com
Mon Feb 20 18:21:14 UTC 2023


+1 Francis

Saint, I wonder if this might satisfy your ask indirectly.

Assign a secondary ip address to a nic, and redirect to that ip for your
iframe processing.

Then you can apply a more specific ACL at host or nginx level to control
iframe reachability, or even use a ip address thats only reachable to your
internal users.

The more correct way of doing all of this is through secure user session
management with authentication and authorization.

Good luck
-Payam

On Mon, Feb 20, 2023 at 4:35 AM Francis Daly <francis at daoine.org> wrote:

> On Sun, Feb 19, 2023 at 09:33:46AM -0500, Saint Michael wrote:
>
> Hi there,
>
> > it does not work:
> > 404 Not Found
>
> It appears that you are not asking "how do I ensure that a location{}
> can only be used for internal redirects/requests".
>
> > in the public location,  /carrier_00163e1bb23c, I have
> > <iframe src="/asrxxxx">
> >     Your browser does not support iframes
> > </iframe>
>
> > so how do I block the public from looking at my HTML and executing
> directly
> > /asrxxxx?
>
> You don't.
>
> > Is this a bug?
>
> It's a misunderstanding on your part of how the requests from the browser
> to the server work.
>
> Right now, your question is "how do I block people from accessing a
> URL, while also allowing them to access the URL". And the answer is
> "you can't, reliably".
>
> The thing that you want to achieve, can't be achieved using the plan
> that you are currently following.
>
> In the tradition of "the XY problem": if you will describe the thing
> that you want to achieve, instead of just a part of the current thing
> that you are doing to attempt to achieve it, then it may be that someone
> can suggest a way to achieve it.
>
> I do see a later mail that has some more details; but on first glance
> it seems to be describing your current solution, rather than the problem.
>
> Cheers,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-- 
Payam Tarverdyan Chychi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230220/e02017ea/attachment.htm>


More information about the nginx mailing list