On my site, registered users, after logging in, have the possibility to download files with the curl command, i.e.
curl -O https://example.com /assets/file/test.txt
I would like to somehow avoid that the user not logged in or deleted still has the possibility to download the file by running the command again or by going directly to the address from the browser.
I use Nginx as web server.
Is it possible to block access to the user that no longer exists or is no longer logged in?
I had thought about the possibility of doing something like this:
curl -u {{user.id}}:{{unique_value}} https://example.com/assets/file/test.txt
or
curl -O https://example.com/assets/file/test.txt?param={{unique_value}}
But I don't know how to verify the existence of the user, and if it is possible to do so, with nginx or some other tool.
I tried using cookie control with Nginx, but as far as I know it is easy to circumvent.
yeah you can use http basic auth to restrict file access to authorized people, per the documentation at https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
touch /etc/nginx/users.htpasswd;
htpasswd /etc/nginx/users.htpasswd user1 'password';
followed by
server {
listen 80;
listen [::]:80
location /assets{
root /wherever/assets/..;
auth_basic "assets";
auth_basic_user_file /etc/nginx/users.htpasswd;
}
}
now only curl -u user1:password1 can download files in /assets/
Related
All,
I'm trying to upload a local file to my remote Nginx server via cURL. I have built Nginx from source with the upload module and the DAV module. At the bottom of the Nginx page, there is an example form to upload a file. I'm not sure how I would implement the form, and (several) Google searches have returned little helpful information about uploading directly to Nginx via cURL.
Current tech stack:
Nginx
Green Unicorn
Flask
Of all the different avenues I've tried, the following is the one that seems the most appropriate for the task.
curl -X POST -F "image=#example.gif" http://54.226.64.199/upload
However, the response is underwhelming.
I've tried --uploade-file as well, the response is a 405. From what I've read, upload only accepts a POST command, not PUT, hence why I get a 405.
I don't need a full solution (would be great!), only pointing in the right direction.
Any help is appreciated. Thanks
EDIT: sorry wanted to include part of my .conf
location /upload {
upload_store /tmp;
#upload_pass #none;
upload_store_access all:rw;
upload_cleanup 400 404 499 500-505;
}
You can do this by specifying filename into URL, without using any external module :
location ~ "/upload/([0-9a-zA-Z-.]*)$" {
alias /storage/www/upload/$1;
client_body_temp_path /tmp/upload_tmp;
dav_methods PUT DELETE MKCOL COPY MOVE;
create_full_put_path on;
dav_access group:rw all:r;
}
And use : curl -T example.gif http://54.226.64.199/upload/example.gif
Say I'm accessing www.mywebsite.com.
This website fetches the following asset:
http://www.mywebsite.com/styles/app.css
I want to access the website exactly as I normally would, with one exception:
Whenever my browser makes a request to /styles/app.css, instead of fetching it from http://www.mywebsite.com, I want to fetch it from http://localhost:3000/mywebsite/.
So instead it should be fetching:
http://localhost:3000/mywebsite/styles/app.css
Is this possible with nginx?
I tried to do it using the following server config:
{
...
server {
listen 80;
server_name mywebsite.com;
location /styles/ {
proxy_pass http://localhost:3000/mywebsite/styles/;
}
}
But even after restarting nginx (sudo nginx -s quit, sudo nginx), nothing seems to have changed.
When I browse to www.mywebsite.com/styles/app.css, I still get the same old app.css being retrieved from the server, rather than my local one.
Is it possible to protect plesk panel 11.5.30 GUI with a basic auth protection?
11.5.30 use as internal web server nginx. I founded this file:
/etc/nginx/plesk.conf.d/server.conf
but its not allowed to edit:
ATTENTION!
DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
Have here anyone a simple example to add basic auth to plesk GUI?
This is the correct way (original posted by SergeyUgdyzhekov)
# Create /etc/sw-cp-server/conf.d/protect-plesk.inc with content:
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/sw-cp-server/conf.d/passwd;
}
# Generate passwd file
htpasswd -c /etc/sw-cp-server/conf.d/passwd admin
# Set correct permissions:
chown sw-cp-server:psaadm /etc/sw-cp-server/conf.d/passwd
chmod 640 /etc/sw-cp-server/conf.d/passwd
# Restart panel web server
/etc/init.d/sw-cp-server restart
Plesk panel server's config stored in /etc/sw-cp-server/conf.d/plesk.conf
This config /etc/nginx/plesk.conf.d/server.conf it's a config of public web server on port 80.
I am using an application which needs to PUT a file on a HTTP server. I am using Nginx as the server but getting a 405 Not Allowed error back. Here is an example of a test with cURL:
curl -X PUT \
-H 'Content-Type: application/x-mpegurl' \
-d /Volumes/Extra/playlist.m3u8 http://xyz.com
And what I get back from Nginx:
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.1.19</center>
</body>
</html>
What do I need to do to allow the PUT?
Any clues would be awesome!
To add HTTP and WebDAV methods like PUT, DELETE, MKCOL, COPY and MOVE you need to compile nginx with HttpDavModule (./configure --with-http_dav_module). Check nginx -V first, maybe you already have the HttpDavModule (I installed nginx from the Debian repository and I already have the module).
Then change your nginx-config like that:
location / {
root /var/www;
dav_methods PUT;
}
You can get more info on the nginx docs entry for the HttpDavModule.
Another reason for 405 Not Allowed is that you don't have permission to write files on the destination you're PUTing. If you have HttpDavModule and still getting this error, make sure you've given nginx write permissions where you're PUTing the files.
Adding this block solved the problem for me in a Laravel application.
location / {
try_files $uri $uri/ /index.php?$query_string;
}
nginx is mainly a proxy and a lot of other things, it share something with web server, not all.
You may want to check: https://www.nginx.com/resources/wiki/modules/upload/,
better is to have a rest interface and let nginx do the proxy, balancing, buffering, TSL ..
I have couple files on my web project. They are all sending to client with nginx help.
But i want to know (and to show for end users) how many times file was downloaded.
For example file has url like: example.com/file.ppt
and nginx settings is next:
location ~* \.(ppt|swf)$ {
root /path/to/static/content;
expires 30d;
}
so my question: can nginx sent some request by some url ? or something else, when someone tries to download certain file ?
You could count successed file downloads in nginx access.log for example with grep:
grep -c file.ppt access.log