I have following header in upstream response
Location: http://10.0.2.15:8080/auth?&redirect_uri=http%3A%2F%2F10.0.2.15%3A8080%2Foauth
I need to change the private ip to $http_host. Currently this works only for the 1st occurence, not in redirect_uri one.
map $upstream_http_location $location_patch {
"" "";
"~^.*/10.0.2.15:8080/(.*)$" "http://$http_host/$1";
"~.*/10.0.2.15%3A8080%2F(.*)$" "http://$http_host/$1";
"~.*" "";
}
Please advise.
Related
I have a service that is hosted in an internal network that is receiving traffic in port 443 (via https) behind a custom loadbalancer both from the internet but also from the internal network.
Internal network requests are coming with an extra custom header, let's call it X-my-lb-header.
I want to block all external incoming traffic to all uris (return an http response code), except to some specific ones.
Eg, let's say that i want to allow traffic that is coming to two endpoints /endpoind1/ (preffix match) and /endpoint2 actual match.
What is the best way to achieve a behaviour like this?
If my understanding is correct I need something like (not correct syntax bellow)
location = /endpoind2 {
if ($http_x_my_lb_header not exists) {
pass
} else {
return 404
}
... the rest of the directives
}
location ~ / {
if ($http_x_my_lb_header) {
return 404;
}
... the rest of the directives
}
But since else is not supported in nginx, i cannot figure out to do it.
Any ideas?
So you need some logic like
if (header exists) {
if (request URI isn't whitelisted) {
block the request
}
}
or in another words
if ((header exists) AND (request URI isn't whitelisted)) {
block the request
}
Well, nginx don't allow nested if blocks (nor logical conditions). While some people inventing a really weird but creative solutions like this one (emulating AND) or even this one (emulating OR), a huge part of such a problems can be solved using map blocks (an extremely powerfull nginx feature).
Here is an example:
# get the $block variable using 'X-my-lb-header' value
map $http_x_my_lb_header $block {
# if 'X-my-lb-header doesn't exists, get the value from another map block
'' $endpoint;
# default value (if the 'X-my-lb-header' exists) will be an empty string
# (unless not explicitly defined using 'default' keyword)
}
# get the $endpoint variable using request URI
map $uri $endpoint {
# endpoint1 prefix matching (using regex)
~^/endpoint1 ''; don't block
# endpoint2 exact matching
/endpoint2 ''; don't block
default 1; # block everything other
}
Now you can use this check in your server block (don't put it to some location, use at the server context):
if ($block) { return 404; }
For example we have setup like this:
user -> api gateway -> (specific endpoint) varnish -> backend service
If backend returns response 500 {"message":"error"} I want to patch this response and return 200 "[]" instead.
Is it possible to do something like this using varnish or some other proxy?
It is definitely possible to intercept backend errors, and convert them into regular responses.
A very simplistic example is the following:
sub vcl_backend_error {
set beresp.http.Content-Type = "application/json";
set beresp.status = 200;
set beresp.body = "[]";
return(deliver);
}
sub vcl_backend_response {
if(beresp.status == 500) {
return(error(200,"OK"));
}
}
Whenever your backend would fail, and return an HTTP/503 error, we will send a HTTP/200 response with [] output.
This output template for backend errors is also triggered when the backend does reply, but with a HTTP/500 error.
In real world scenarios, I would a some conditional logic in vcl_backend_error to only return the JSON output template when specific criteria are matched. For example: a certain URL pattern was matched.
I would advise the same in vcl_backend_response: maybe you don't want to convert all HTTP/500 errors into regular HTTP/200 responses. Maybe you also want to add conditional logic.
I am writing a http proxy which needs to call DumpRequest. For some reason, the client does not offer "Host" header while the server needs it. I then do this:
if req.Header.Get("host") == "" {
req.Header.Set("Host", "www.domain.com:80")
}
data, _ := httputil.DumpRequest(req, true)
conn.Write(data)
The problem is after I set "host", data still does not has it. I digged into source code of DumpRequest, found this:
var reqWriteExcludeHeaderDump = map[string]bool{
"Host": true, // not in Header map anyway
"Transfer-Encoding": true,
"Trailer": true,
}
Why is Host "not in Header map anyway"?
Short answer
I guess you should use Header.Add() instead of Header.Set()
I didn't try it. So if my answer is wrong, be free to figure it out.
Reference
From source code , It said that.
It replaces any existing values associated with key
But in you case, you don't have that K existing. So it behaves as we expected.
If you use Set() method, it's cool.
DumpRequest should not be used to implement a proxy - see doc:
It should only be used by servers to debug client requests. The returned
representation is an approximation only ...
If you are trying to change the origin host value of the request while it goes through your proxy, you do not need to change the header of host. You can do the following:
if req.Host == "" {
req.Host = "www.domain.com"
}
data, _ := httputil.DumpRequest(req, true)
conn.Write(data)
Playground
https://play.golang.org/p/f-qaZRC0RMO
I'm working on a little PHP Service on my webserver for my clients. The concept is simple:
I'm making a website for a client of mine locally. I upload it onto my publicly accesible webserver. Now I don't want anybody to have access onto every website. So I made a login form (via password) with php and html. The userdata is saved in a MySQL Database.
So if a user gets the url of me (e.g. client.raphaelbernhart.at) there is a input field with a password to be filled out. Now if the user submits the password the php script checks is there is a user with this password and creates a session and cookie.
As the information (client websites) are most of the time not very sensitive I wanted to proof with the nginx configuration if a cookie is created at the clients computer and if the path (url) contains the username specified inside the cookie. My configuration for something like this would be:
location /client {
# Check if url contains auth cookie value
if ($request_uri != $cookie_auth){
return 401;
}
}
But this isn't working...
It would be greate if anybody could help me with this problem...thanks
Also I want to check if there is a administrator cookie created and then always send status 200.
Something like this:
# Check if url contains auth cookie value
if ($cookie_auth = "administrator"){
return 200;
}
But this isn't working to.
Try
location /client {
set $deny 1;
if ($uri ~ ^/client/$cookie_auth) {
set $deny '';
}
if ($cookie_auth = administrator) {
set $deny '';
}
if ($cookie_auth = '') {
set $deny 1;
}
if ($deny) {
return 401;
}
... # further processing
}
I need to get the CN of a client certificate in NGINX to append it to the proxy headers.
I already found the following map code for this.
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
}
But sadly it only returns an empty string for the following $ssl_client_s_dn:
CN=testcn,O=Test Organization
I tested it with other DNs, too. But the problem is always the same.
The pattern you use requires the legacy DN, since it assumes the / to separate the RDNs. So (since nginx v1.11.6) the following works:
map $ssl_client_s_dn_legacy $ssl_client_s_dn_cn {
default "";
~/CN=(?<CN>[^/]+) $CN;
}
With $ssl_client_s_dn_legacy: /O=Test Organization/CN=testcn
As #christof-r mentioned, your regex matched with the legacy DN pattern. Please use this regex to match with the current ( > v1.11.6) pattern.
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~CN=(?<CN>[^,]+) $CN;
}