NGINX - How to deny direct access to a file - nginx

Is there any way to prevent direct access to a file but allow it to be loaded from another page? For example, I have an swf in mydomain.com/assets/importantasset.swf and I want to load it in mydomain.com/page, but if people try to directly access that swf they will be shown a 403 error. I know there is a way to accomplish this in IIS, if anyone can convert the following code to be compatible for nginx.
<rule name="protect" stopProcessing="true">
<match url=".*\.(swf)$" negate="false" />
<conditions>
<add input="(HTTP_REFERER}" pattern="^http://domainname.com/.*$" negate="true" />
</conditions>
<action type="AbortRequest" />
</rule>

Related

IIS 10: Serve file with same name as directory

I've just set up a IIS server, and made a simple website. I have a file called "image.aspx" and a directory called "image" and I have URL Rewrite 2.0 to not need the .aspx. When I see domain.com/image i get a no permission 403, but when I visit domain.com/image.aspx it shows. How can I make it that when you visit domain.com/image you go to domain.com/image.aspx but you are able to go to domain.com/image/file.aspx?
We just check if the file with the request URL name exists then make a redirection. Moreover, the specific file under that directory is accessible too.
<rules>
<rule name="MyRules" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{DOCUMENT_ROOT}{Request_URI}.aspx" matchType="IsFile" />
</conditions>
<action type="Redirect" url="Https://vabqia969vm:448{request_URI}.aspx" />
</rule>
</rules>
</rewrite>
Feel free to let me know if the problem still exists.

URL Rewrite not working on IIS 10.0

I'm using URL Rewrite on IIS 10.0 and have the following rule configured at the server level (applicationHost.config). I've tried it in my web.config to no avail as well.
<rewrite>
<globalRules>
<rule name="redirect">
<match url="/admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="10.30.*.*" negate="true" />
</conditions>
<action type="Rewrite" url="/error" />
</rule>
</globalRules>
</rewrite>
Is there anything immediately obviously wrong here? I want any external traffic trying to hit /admin to get redirected to an error page, and only allow a single internal IP block to access it. Pulling my hair out over here.
You may need to install Application Request Routing, which is an extension to IIS and is available here: https://www.iis.net/downloads/microsoft/application-request-routing
There is a problem in match regexp. It shouldn't start with slash. Correct is ^admin (^ means start of url)
<rule name="redirect">
<match url="^admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="10.30.*.*" negate="true" />
</conditions>
<action type="Rewrite" url="/error" />
</rule>
And i have couple of notes:
1) For IP validation better to have regexp like that: 10.30.[0-9]{1,3}.[0-9]{1,3} instead of 10.30.*.*
2) Depends on your load balancer and network infrastructure, but you might need to check {HTTP_X_Forwarded_For} header instead {REMOVE_ADDR}, because client's IP might be in different header

HTTPS redirect to a folder not working

I just installed https certificate and am having a hard time setting up redirect.
I tried using HTTP Redirect in IIS (7.5) but can't get it to work in IE and in FF and Chrome once I pass the initial login page, I get "Too many redirect" error.
I also tried URL Rewrite but it was total failure so i reverted to HTTP Redirect.
Users used to access the site using "http://example.com/internal". Now, i want to redirect this to "https://internal.example.com/internal" and can't get it to work. I would much prefer not to use the last "internal" in the URL, if possible (the Common Name I used when requesting CSR was internal.example.com).
In HTTP redirect, I set "Redirect requests to this destination" to "https://internal.example.com/internal/default.aspx" and set "Redirect behavior" to "Only redirect requests to content in this directory" with Status Code 301 (Permanent).
Web site has an "internal" folder that contains the .Net application files and requires form authentication. The files in root folder are open to all (i.e. www.example.com is open to all).
Any help you can provide setting this up is greatly appreciated.
Update
I updated web.config and added some URL Rewrite rule but still not quite there.
In IE, when I type example.com/internal it goes to https://internal.example.com but not http://internal.example.com/internal.
In Chrome, it doesn't go to https, stays in http and shows "Not secure".
<rewrite>
<rules>
<rule name="Rewrite to internal" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www.example.com$" />
</conditions>
<action type="Redirect" url="{R:1}" />
</rule>
<rule name="internal.example.com to sub folder internal" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="true" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="^internal\.example\.com$" ignoreCase="false" />
<add input="{PATH_INFO}" pattern="^/internal($|/)" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/" />
</rule>
</rules>
</rewrite>
The first rule is to just let http://example.com go through; the second is to redirect http://example.com/internal to https://internal.example.com/internal.
Check your Authentication applet in IIS. it should allow anonymous auth.

Conditional https redirect on IIS 7

I have the following rule on the site to redirect http to https. We just found out though that our app got submitted with just an http for the api. Until we can get this updated I need the site to ignore calls to the /api folder and only redirect everything else. I'm sure there's a way to say something like if URL does not contain /api/ then redirect.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
Add an entry similar to <add input="{R:0}" pattern="/api(/|$)(.*)" negate="true" /> so that the whole file is:
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{R:0}" pattern="/api(/|$)(.*)" negate="true" />
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
Example URL: http://site.com/api/function
So, if the URL after the site matches any of the following it will stop processing (and thus not push the user to https)
/api
/api/anything
Any https URL
We run into the same kind of thing with a large application run in IIS behind a reverse proxy. The URL rewrite addon for IIS (that you appear to be using) is a bit of a pain, but it does the job really well and tolerates the MVC framework.
As you mentioned, simply putting a rewrite block in an API directory won't work because with MVC there are no directories. You would think MS would have a better solution for this -- but they don't. It makes things all the more challenging.
If you place a separate Web.config file in the /api application or directory you can override whatever rules apply for the site as a whole.
Check out Tip #1 in this article, and if you have the time read them all:
http://weblogs.asp.net/jgalloway/archive/2012/01/17/10-things-asp-net-developers-should-know-about-web-config-inheritance-and-overrides.aspx
John Galloway's blog is a fantastic resource for all things IIS and ASP.NET.

Stopping hotlinking from a directory using web.config

I have a folder on my site for caching large flash movies and I want to stop other people from embedding them in their site; I would like to try and do this using the web.config file only. How could this be done?
My first attempt at a rule (which doesn't work):
The following rule was supposed to prevent public access (and embedding) to .swf files in the cache folder 'CurrentCache' - http://myurl.com/ContentCache/ and give a replacement movie 'NoEmbedFromCacheSWF.swf' instead.
<rule name="Prevent SWF hotlinking" enabled="true">
<match url="^(ContentCache)(.swf)$" ignoreCase="true" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^http://(.*\.)?myurl\.com/.*$" negate="true" />
</conditions>
<action type="Rewrite" url="/Content/Flash/NoEmbedFromCacheSWF.swf" />
</rule>
Thanks in advance!
Note: I think I have got the regex wrong in the <match url="A swf inside /ContentCache/" ignoreCase="true" /> line, any ideas what it should?
You can build an HttpModule for this. There is a blog posting describing exactly what you want to do I think:
HttpModule to block external referrers in ASP.NET
Edit: Of course I'm bending the rules here about web.config only. You have to use an external module, but then you can use it referencing from web.config only without modifying any of your code.
Edit2: If you want to do it using a rewrite rule, you have to change your pattern, like this:
<rule name="Prevent SWF hotlinking" enabled="true">
<match url="/ContentCache/.*\.swf$" ignoreCase="true" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^http://(.*\.)?myurl\.com/.*$" negate="true" />
</conditions>
<action type="Rewrite" url="/Content/Flash/NoEmbedFromCacheSWF.swf" />
</rule>
The pattern used is a regular expression, you can read up on them here and you can test them for example on this webpage.

Resources