Nginx with php configuration how to block all requests/urls other than two?

addis_a · January 29, 2015, 3:21pm

So i use nginx with PHP and i have the following two urls i want to
allow
access on the subdomain.

The full url would be
sub1.domain.com/index.php?option=com_hwdmediashare&task=addmedia.upload&base64encryptedstring

if ( $args ~
‘option=com_hwdmediashare&task=addmedia.upload([a-zA-Z0-9-_=&])’ ) {
}

And

sub1.domain.com/media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf

But i cant figure out in nginx how to block all other traffic/requests
on
the subdomain apart from those two urls can anyone help me get a
understanding of the location block of nginx so i can block access to
all
links apart from those two.

Posted at Nginx Forum:

c0nw0nk · January 29, 2015, 4:10pm

Use map,

map $request $allowonly {
default 1;
~*addmedia.upload([a-zA-Z0-9-_=&]) 0;
1;
}

inside location {} if ($allowonly) { return 404; }

Untested but should give you enough to test with.

Posted at Nginx Forum:

c0nw0nk · January 29, 2015, 4:56pm

map $request $allowonly {
default 1;
~*addmedia.upload([a-zA-Z0-9-_=&]) 0;
}
location / {
if ($allowonly) {
try_files $uri $uri/ /index.php?$args;
}
}
location ~ .php$ {
##fastcgi pass etc here
}

That would be my location block to deny all requests except for that
single
php url but i cant add the static file to the map request since it would
be
handled by PHP when its a static file.

How should make this url be accepted
“sub1.domain.com/media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf”

Posted at Nginx Forum:

c0nw0nk · January 29, 2015, 6:57pm

Chained maps maybe?

http {
map $arg_option $step2 {
default 1;
com_hwdmediashare $arg_task;
}

map $step2 $step3 {
    default 1;
    addmedia.upload $request;
}

map $step3 $blocked {
    default 1;
    ~*(?:\?|&)?base64encryptedstring 0;
}

server {
    location / {
        return 404;
    }

    location /index.php {
        if ($blocked) {
            return 404;
        }
    }

    location /media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf

{
}
}
}

B. R.

c0nw0nk · January 29, 2015, 6:29pm

In the map flip the 1 and 0 around, if $allowonly=1 then the IF is true
(unless that’s what you want).

General rule for IF’s; only use it to return a state.

if … return …
continue with complex configuration items.

Don’t do: ‘if … do complex things …’ (unless proceeded with Lua
finishing with an nginx if…return)

If you want to expand the logic what is ok and what not, have a look at
my
conf\nginx-simple-WAF.conf
where 3 maps are combined into 1 result map.

In your case you could use 2 mappings, 1 for normal requests and 1 for
passed-on php requests.

Posted at Nginx Forum:

c0nw0nk · January 29, 2015, 7:47pm

On Thu, Jan 29, 2015 at 09:20:36AM -0500, c0nw0nk wrote:

So i use nginx with PHP and i have the following two urls i want to allow
access on the subdomain.

The full url would be

sub1.domain.com/index.php?option=com_hwdmediashare&task=addmedia.upload&base64encryptedstring

Usually you don’t want to match $args, because the order is not fixed.
But
if you are happy that it is in your case, you can just do:

server {
server_name sub1.domain.com;
location / { return 404; }
location = /index.php {
if ( $args !~ ‘option=com_hwdmediashare&task=addmedia.upload’ ) {
return 404;
}
# do whatever
}
}

Change “404” to whatever you want “block” to mean.

“# do whatever” will probably involve fastcgi_pass or something similar.

Note that this does not restrict access to exactly this query string;
if it matters, you can tighten things. But it is probably simpler for
your index.php to check that arguments are exactly what is expected or
else to fail.

And

sub1.domain.com/media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf

location = /media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf {}

But i cant figure out in nginx how to block all other traffic/requests on
the subdomain apart from those two urls

location /

matches any normal request that does not match any other location.

f

Francis D. [email protected]

c0nw0nk · January 30, 2015, 8:52am

Thanks for the help guys i have it working but i am not sure what config
i
should be using out of these two what one would be better.

itpp2012’s config :

map $request $allowonly {
default 1;
~*addmedia.upload([a-zA-Z0-9-_=&]) 0;
}
server {
listen 80;
listen [::]:80;
server_name sub1.domain.com;
index index.php index.html index.htm default.html default.htm;
location / {
return 404;
}
location /media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf {
root z:/public_www;
expires max;
}
location ~ .php$ {
if ($allowonly) {
return 403;
}
try_files $uri =404;
##fastcgi stuff here
}
}

And then the config Francis recommends :

server {
listen 80;
listen [::]:80;
server_name sub1.domain.com;
location / {
return 404;
}
location = /index.php {
if ( $args !~ ‘option=com_hwdmediashare&task=addmedia.upload’ ) {
return 404;
}
try_files $uri =404;

do whatever (So fastcgi stuff here)

}
location = /media/com_hwdmediashare/assets/swf/Swiff.Uploader.swf {
root z:/public_www;
expires max;
}
}

itp2012’s config is the one i am currently using and works well should i
change anything or just stick with it ?

Posted at Nginx Forum:

Nginx with php configuration how to block all requests/urls other than two?

{ } } }

f

do whatever (So fastcgi stuff here)

{
}
}
}