NGINX to filter out non matches to url pattern
New here? Learn about Bountify and follow @bountify to get notified of new bounties! x

I am using an image proxy which is behind nginx and i want to make sure the world doesn't use my image proxy for their own images.

the proxy is generally expecting a url like this

http://imgproxy.com/unsafe/thumbnail:blurry:watermarked/plain/http://mysource.com/images/curiosity.jpg

In the above case i would want to whitelist "mysource.com" or rather "*.mysource.com" so that we can ensure that proxy requests asking for other domains aren't ours. Ideally in your solution we could specify 1 or more wildcard domains like this:

*.source1.com

*.source2.com

I'm guessing the solution would be some regex to parse inbound requests and quickly pass or reject.

awarded to dekkard
Tags
nginx

Crowdsource coding tasks.

3 Solutions


Hello

it can easily be done by adding if condiition in your configuration file :

set $test 1;
if ($request ~* "mysource.com") { #test for first path
    set $test 0;
}

if ($request ~* "mysource2.com") { #test for second path
    set $test 0;
}

if ($test = 1) { #if one of the previous test is not true
    return 403; #forbidden access
}

so if you have one of the words that matches in the request, you will not enter in the last condition that will set a 403 error.
Can you try this and give me a feedback ?

I guess if a supplied URL looks like https://unknown.com/mysource1.com/img/test.jpg or https://mysource1.com.unknown.com/img/test.jpg, it won't be blocked.
dekkard 4 months ago

Hi,
This is not exactly what you have asked for, this solution is for preventing image hotlinking. It might be helpful for you. the problem with your request is anyone can access copy your proxy url and access the image.

location ~ .(gif|jpe?g|png)$ {
# Configurations to check for image hotlinking.
# Remember to substitute example.com with your domain.    

valid_referers none blocked mysource.com *.mysource.com;
if ($invalid_referer) {
   return 403;
}
}

Do let me know if it works for you.

I appreciate the thought, we have a CDN sitting in front of the proxy so it will be a bit blind to this part of the pipe. thx for the thought though!
Qdev 4 months ago
No problem :)
Zhopon 4 months ago
Winning solution

Here's the regex solution:

location ~* ^/.+/http.?://(?![^\/]*(source1\.com|source2\.com|whatever\.org)/).*$ {
  return 403;
}

I guess this should be the first "location" in config.
Here, source1.com, source2.com, whatever.org are the trusted domains, which won't be blocked.

Tested this config with this tool

Test URLs and results:

http://domain2.com/unsafe/thumbnail:whatever/plain/http://wat.source1.com/img/test.jpg - ok - no match
http://domain2.com/unsafe/thumbnail:whatever/plain/http://source1.com/img/test.jpg - ok
http://domain2.com/unsafe/thumbnail:whatever/plain/https://source1.com/img/test.jpg - ok
http://domain2.com/unsafe/thumbnail:whatever/plain/https://unknown.com.source1.com/img/test.jpg - ok

http://domain2.com/unsafe/thumbnail:whatever/plain/http://wat.unknown.com/img/test.jpg - blocked - matches
http://domain2.com/unsafe/thumbnail:whatever/plain/https://wat.unknown.com/img/test.jpg - blocked
http://domain2.com/unsafe/thumbnail:whatever/plain/https://unknown.com/img/test.jpg - blocked
http://domain2.com/unsafe/thumbnail:whatever/plain/https://unknown.com/source1.com/img/test.jpg - blocked
http://domain2.com/unsafe/thumbnail:whatever/plain/https://source1.com.unknown.com/img/test.jpg - blocked
worked perfect and was nice and elegant
Qdev 4 months ago
View Timeline