nginx reverse proxy and allow some file extension only - nginx

I setup nginx reverse proxy as below config and it's working file
But i want this nginx only allow some file extension such as html, png, php, svg, jpg, css, js ..
and block other extension , i dont know how to do this after many test and follow lot of guide
Thanks
server {
listen 443 ssl ;
listen 8080 ;
ssl on;
ssl_certificate /etc/nginx/bundle.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
server_name mydomain.net;
location / {
proxy_pass https://172.16.0.1:8080/; # foward all request to another website
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}

The most simple is to check the URI via regex:
if ($uri !~ \.(html|png|php|svg|jpg|css|js)$) {
return 403;
}
To also allow the URIs without extension, use
if ($uri !~ /([^./]*|[^/]*\.(html|png|php|svg|jpg|css|js))$) {
return 403;
}

Related

How to proxy pass to another port (multiple)

I want to proxy pass based on the path to another port (multiple) using NginX.
Example:
/ -> :3000
/test -> :3001
I already config my nginx.conf like this:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.xxx.domain.com;
gzip off;
proxy_max_temp_file_size 0;
ssl_certificate /etc/nginx/ssl/xxx.co.id.pem;
ssl_certificate_key /etc/nginx/ssl/xxx.co.id.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers XXX
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_redirect off;
location / {
proxy_pass http://10.184.0.4:3000;
}
location = /test {
proxy_pass http://10.184.0.4:3001;
}
}
It's success for the /, but for the /test route it's get redirected to port :3000 to the Not Found Page.
Any suggestion to success the proxy pass?

Nginx proxy_pass config leaves insecure access to location path open

The nginx snippet below works for https access of our web application. However several end users of the app are instead using ip access in browser to the same app with no certificate protection.
Ways to block this access?
server {
listen 80;
server_name ourserver.com;
return 301 https://ourserver.com$request_uri;
}
server {
listen 443;
server_name ourserver.com;
### SSL details removed
ssl_certificate "//";
ssl_certificate_key "//";
ssl_session_cache
ssl_session_timeout
ssl_ciphers
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 1200;
proxy_send_timeout 1200;
proxy_connect_timeout 75;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}

Neo4j with a reverse proxy and NGINX

I'm having trouble addressing Neo4j via a reverse proxy with NGINX.
The web client works without problems, but I have no idea about the Bolt protocol.
Here's how the web client works:
server {
listen 80;
server_name XXX;
location / {
proxy_pass http://YYY:7474/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
}
}
But how does the Bolt protocol over port 7687 work?
Thanks.
PS: Google translator ftw.
You need to use nginx compiled with --with-stream. Then you can add below section to your nginx config
stream {
server {
listen 7687;
proxy_pass neo4j:7687;
}
}
Basically you need to use tcp reverse proxy and not http proxy. The above configuration section will be at top level and not inside http or server block
You will need to open port 7687 between your laptop and the server hsoting neo4j.
If you are using let's encrypt and try to connect though SSL. neo4j embedded certificate were not signed by an Authority which was generating the error in my chrome browser.
To make it works, I had to copy my certs in neo4j certificates :
sudo su
cp /etc/letsencrypt/live/MYDOMAIN/fullchain.pem /var/lib/neo4j/certificates/neo4j.cert
cp /etc/letsencrypt/live/MYDOMAIN/privkey.pem /var/lib/neo4j/certificates/neo4j.key
service neo4j restart
Here is what works:
worker_processes auto;
events {
worker_connections 1024;
}
http {
map $http_upgrade $connection_upgrade {
"" close;
default upgrade;
}
upstream neo4j_bolt {
server neo4j:7687;
}
upstream neo4j_insecure {
server neo4j:7474;
}
upstream neo4j_secure {
server neo4j:7473;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://neo4j_insecure;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
}
}
server {
listen 443 ssl;
server_name localhost;
#SSL/https
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
location / {
proxy_pass https://neo4j_secure;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 7687 ssl;
server_name localhost;
#SSL/https
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
location / {
proxy_pass https://neo4j_bolt;
proxy_http_version 1.1;
proxy_set_header Connection Upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 7688;
server_name localhost;
location / {
proxy_pass http://neo4j_bolt;
proxy_http_version 1.1;
proxy_set_header Connection Upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
Dockerized solution here: https://github.com/joehoeller/nginx-server-neo4j-graph-db

Nginx 404 Error to some subfolders

Noobie question here.
I've setted up Parse-Server in my Ubuntu droplet and i'm currently dealing with an issue here.
My ssl is from letsencrypt
In this file
/etc/nginx/sites-enabled/default
I have the following
# HTTP - redirect all requests to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name example.com;
return 301 https://$host$request_uri;
}
# HTTPS - serve HTML from /usr/share/nginx/html, proxy requests to /parse/
# through to Parse Server
server {
listen 443;
server_name example.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
# Use certificate and key provided by Let's Encrypt:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Pass requests for /parse/ to Parse Server instance at localhost:1337
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location /test/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/test/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location /dashboard/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:4040/dashboard/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
location / {
try_files $uri $uri/ =404;
}
}
So the followin links are working fine
https://example.com/parse/
https://example.com/dashboard/
https://example.com/test/
but they are working cause of the default file has the code to work fine.
I can't do that for all the directories that parse has for example
https://example.com/parse/serverInfo/
is getting a 404 error.
Is there any way to make all the pages available without having to configure them in the default file?
Update
So when I put this inside my default file
location /parse/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:1337/parse/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_redirect off;
}
I get no 404 error. This is because of the proxy_pass http://localhost:1337/parse/ that is different from the first file that I've posted here.
But how can i do that for ALL the requests no matter /parse/ or /something/ etc? I cannot right down here ALL the folders and possible links that i will create inside server. Because at this domain I will also setup a website which will have /assets/ etc and it will need each single one.
Isn't there any code to include ALL the possible links that it will be created?
You can capture parts of the location entry using regex group, e.g.
location /(.*) {
...
proxy_pass http://localhost:1337/$1;
...
}

ERR_TOO_MANY_REDIRECTS while setting up Ghost + Nginx with both HTTP and HTTPS

I'm deploying Ghost (0.7.6) in a VPS using Nginx (1.8.1). To make the dashboard and sign-in page secure, I force any request to use HTTPS when accessing such pages (such as /ghost page). But, for any request to any other page (such as accessing the Ghost blog itself) I want to force it to use HTTP. Ghost is up listening on 127.0.0.1:2368.
Strangely, the result is not as what I expected: Every time I access my blog (let's say the url is a.b), it says that my site has ERR_TOO_MANY_REDIRECTS and it redirects between http://a.b and https://a.b (or between http://a.b/signin and https://a.b/signin). BUT, when I access the admin dashboard (https://a.b/ghost or http://a.b/ghost), it acts as expected (no error, correctly redirects to use HTTPS).
Any help?
My Nginx configuration:
# Configuration for http://a.b
server {
listen 80;
server_name a.b;
location ^~ /ghost { # /ghost should be accessed securely
return 301 https://$host$request_uri;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:2368;
}
}
# Configuration for http://a.b
server {
listen 443 ssl;
server_name a.b;
ssl_certificate ...;
ssl_certificate_key ...;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers '...';
location ^~ /ghost { # /ghost should be accessed securely
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:2368;
}
location / { # Force to use HTTP
return 301 http://$host$request_uri;
}
}
Any kind of help would be appreciated :')
https://github.com/TryGhost/Ghost/issues/2796
location ^~ /ghost { # /ghost should be accessed securely
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header HOST $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:2368;
}

Resources