I want to setup a reverse proxy for serving images stored in S3.
I dont want to allow access to images if referrer is not example.com
But I want to allow multiple crawlers for example google bot, bing bot etc (based on user_agent) to access the images.
I also want to allow my android app to access the images (based on custom header say X-Application: ExampleApp)
How do I configure nginx to do so ?
That comes to using 3 IF's which is not going to work due to IF limitations.
What you can do is 2 things, set up MAP to deal with the 3 tests (setting true or false values) then inside the server block use Lua to combine the 3 test values into one and use a single IF (or pure Lua) in the location block to allow/deny access.
map $referrer $usestring1 {
default 0;
~^google$ 1;
}
map $user_agent $usestring2 {
default 0;
~^google$ 1;
}
etc....
location / {
content_by_lua '
local s = ngx.var.usestring1;
local t = ngx.var.usestring2;
if s+t == 2 then return ngx.exit(503); end;
';
etc...........
Related
http://localhost/drupal-9.3.3/user/372#myaccount
How to remove user id on URL . Please suggest how to change these type security isssue.
If you want to change the url structure to remove ids, use pathauto https://www.drupal.org/project/pathauto
You can choose to have an url structure for user profiles that can be generated from any user field.
Someone told me that everything you write on the front end or in your main folder is always just basically a suggestion a.k.a. not secure.
Good ways to secure site:
Authenticate users using backend like firebase read/write permissions
Use randomized urls / keys (which firebase also does)
Also catch exceptions and deal with them, perferably at the the place where that function is created, not when it is executed:
Example
yes:
function() => {
// do something
//catch error
}
function(); // call function;
No:
function().then(error => { //do something})
i'm from business and I would like to ask is it possible to create A/B test with dynamic part of URL?
API of backend application returns calculation ID for every visitor and its included on URL.
For example:
We have main URL www.example.pl and I want to create A/B test with redirect to dynamic URL:
www.example.com/calculation/(calculculation_id)
Is it possible?
If your goal is to redirect from https://www.example.com/product/laptop/12345
to https://www.example.com/product/laptop-test/12345 for each product and not for the product 12345.
Select test type redirect
Set up redirect rules for each variant
Customize your page targeting rules with "contains" or "starts with."
Customize your advanced redirection"
1.Set up redirect rules for each variant
Find in domain/path com/product
Replace with com/product-test
Add/modify query parameters/fragments (leave blank)
Original: https://www.example.com/product/laptop/12345
Redirect: https://www.example.com/product-test/laptop/12345 (see point 3.Customize your advanced redirection)
! Do not worry if you are entering the specific product 12345 this value seen by the system as variable xxxxx !
2.Customize your page targeting rules with "contains" or "starts with."
Modify the page targeting rules to ensure that we include any URL containing example.com/product.
3.Customize your advanced redirection.
In our example the text "com/product" is replaced with "com/product-test".
This is the site where you can find more information :
https://support.google.com/optimize/answer/6361119?hl=en
Yes, you can do that in different ways. I'd suggest using Feature Flags approach in your A/B test in order to have a flag to generated the dynamic next URL from the API.
I'll try to summarize in two steps that you should go:
Add a Javascript in the Optimize Visual Editor for. Example here. The idea is this script to add a new flag:
window.FeatureManager = window.FeatureManager || {};
window.FeatureManager.variant_1_to_change_the_url = true;
On your own script, look at this flag to call the backend API in order to get the calculated URL:
// in case of the variant 1
if (window.FeatureManager && window.FeatureManager.variant_1_to_change_the_url) {
// calls the API passing this flag to get the new URL
const redirectURL = fetch('my_endpoint', true/false); // true/false could be the variant verification
location.href = redirectURL; // this is a sample, you can change the URL however you want
} else {
// the original variation
}
My app is caught up in Google's Cross App Scripting security warning and I can't seem to get a version of the app that doesn't trigger Google's warning.
The majority of the functionality is a WebView wrapper for a web app. That's where the warning is.
I think I've followed the directions in Google's tutorial for Option 2, which are as follows:
1. Update your targetSdkVersion.
It has to be above 16 and I've done that.
2. Protect calls to evaluateJavascript
The WebView does accept URL's from Intents, but those are checked ahead of time to always be trusted. And all external URLs that might appear inside the app are opened externally, i.e. in Chrome.
3. Prevent unsafe file loads
The WebView never opens file:// URIs.
The code below is the relevant section from the class and method that Google is indicating has a problem. I think I've correctly filtered out all code paths there so that the only URIs that open would be my own domain.
I've already been through two levels of Google support and all they say is to follow the directions in their tutorial. I think I've done that:
https://support.google.com/faqs/answer/9084685
rootUrl = "https://example.com"
Intent intent = getIntent();
if (intent.getStringExtra("action_url") != null) {
if (intent.getStringExtra(NotificationIntentService.NOTIFICATIONS_DESTINATION) != null) {
myWebView.loadUrl(rootUrl + intent.getStringExtra(NotificationIntentService.NOTIFICATIONS_DESTINATION));
} else if (
intent.getStringExtra("action_url").matches("^https://example.com/")) {
myWebView.loadUrl(intent.getStringExtra("action_url"));
}
} else {
if (retrieveHasRegistered(context)) {
myWebView.loadUrl(rootUrl + "/android?registered");
} else {
myWebView.loadUrl(rootUrl + "/android");
}
}
}
I'm new to nginx lua, and got a setup from previous developer. Trying to go through the docs to understand the scope but I'm pretty unsure.
It's like this right now
init_by_lua_block {
my_module = require 'my_module'
my_module.load_data()
}
location / {
content_by_lua_block {
my_module.use_data()
}
}
And in my_module
local _M = {}
local content = {}
function _M.use_data()
-- access content variable
end
function _M.load_data()
-- code to load json data into content variable
end
return _M
So my understand is, content is a local variable, so its lifetime is within each request. However, it's being initialized in init_by_lua_block, and is being used by other local functions, which makes me confused. Is this a good practice? And what's the actual lifetime of this content variable?
Thanks a lot for reading.
Found this: https://github.com/openresty/lua-nginx-module#data-sharing-within-an-nginx-worker
To globally share data among all the requests handled by the same nginx worker process, encapsulate the shared data into a Lua module, use the Lua require builtin to import the module, and then manipulate the shared data in Lua. This works because required Lua modules are loaded only once and all coroutines will share the same copy of the module (both its code and data). Note however that Lua global variables (note, not module-level variables) WILL NOT persist between requests because of the one-coroutine-per-request isolation design.
Here is a complete small example:
-- mydata.lua
local _M = {}
local data = {
dog = 3,
cat = 4,
pig = 5,
}
function _M.get_age(name)
return data[name]
end
return _M
and then accessing it from nginx.conf:
location /lua {
content_by_lua_block {
local mydata = require "mydata"
ngx.say(mydata.get_age("dog"))
}
}
init_by_lua[_block] runs at nginx-loading-config phase, before forking worker process.
so the content variable is global, it's all the same in every request.
https://github.com/openresty/lua-nginx-module/#init_by_lua
My client has a website with many subdomains, each representing a different "client":
http://www.store.com <- Main store; also the default OpenX "Website" host in admin.
http://client1.store.com <- Client store
http://client2.store.com <- Client store
...
http://client222.store.com <- Client store
A lot of the banners are internal links. For those internal ads, they use relative URLs in that banner's "Destination URL" field, in hopes that the link will use the host of the page the ad is being displayed on. But to no avail, the ads seem to always use the host of the OpenX "Website" that that zone is connected to.
So for these local ads I need the host of the destination URLs to match the page the ads is being displayed on. Any suggestions?
The answer to this question was to set the Banner's URL to something like this:
http://{currenthost}/shoes-half-off
Then pass extra, custom variable currenthost into the invocation code.
If the zone is in Local Mode
Set the variable like this, somewhere before your call to view_local():
$_REQUEST['currenthost'] = $_SERVER['HTTP_HOST'];
$raw = view_local($what, $zoneid, $campaignid, // ...
If the zone is in Javascript Mode
Pass it into openx/www/delivery/ajs.php as a part of the GET string. Turn this:
// ...
if (document.mmm_fo) document.write ("&mmm_fo=1");
document.write ("'><\/scr"+"ipt>");
// ...
Into this:
// ...
if (document.mmm_fo) document.write ("&mmm_fo=1");
document.write ("¤thost="+window.location.href); // <-- Added
document.write ("'><\/scr"+"ipt>");
// ...