Blocking all URIs except for one directory

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking all URIs except for one directory

Igal @ Lucee.org

Hello,

I want to secure a site using the allow/deny directives so that only allowed networks will be able to access it.  There is one "public" directory, however, that I want to be accessible for everyone.

nginx serves as a reverse proxy on that site, and requests for URIs that end with the suffix ".cfm" are proxied to Tomcat.

So I currently have something like:

location / {
    allow 10.0.0.0/24;
    deny all;
}

location /public/ {
    allow all;    # does that make sense?
}

location ~ \.cfm$ {
    ## proxy settings go here
}

Keep in mind that .cfm scripts are both in /public/ as well as in other directories.

How can I achieve that?

Thanks,

Igal Sapir
Lucee Core Developer
Lucee.org


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Blocking all URIs except for one directory

Maxim Dounin
Hello!

On Tue, Apr 25, 2017 at 12:50:24PM -0700, Igal @ Lucee.org wrote:

> Hello,
>
> I want to secure a site using the allow/deny directives so that only
> allowed networks will be able to access it.  There is one "public"
> directory, however, that I want to be accessible for everyone.
>
> nginx serves as a reverse proxy on that site, and requests for URIs that
> end with the suffix ".cfm" are proxied to Tomcat.
>
> So I currently have something like:
>
> location / {
>      allow 10.0.0.0/24;
>      deny all;
> }
>
> location /public/ {
>      allow all;    # does that make sense?
> }
>
> location ~ \.cfm$ {
>      ## proxy settings go here
> }
>
> Keep in mind that .cfm scripts are both in /public/ as well as in other
> directories.
>
> How can I achieve that?

Try this instead:

    location / {
        allow ...
        deny all;

        location ~ \.cfm$ {
            ...
        }
    }

    location /public/ {
        # access allowed to all by default - unless there is
        # something restrictive defined on previous levels

        location ~ \.cfm$ {
            ...
        }
    }

You may also find this talk interesting:

https://youtu.be/YWRYbLKsS0I

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Blocking all URIs except for one directory

Igal @ Lucee.org

Maxim,

Thank you for your help, as always! 

On 4/26/2017 5:50 AM, Maxim Dounin wrote:
Hello!

On Tue, Apr 25, 2017 at 12:50:24PM -0700, Igal @ Lucee.org wrote:

Hello,

I want to secure a site using the allow/deny directives so that only 
allowed networks will be able to access it.  There is one "public" 
directory, however, that I want to be accessible for everyone.

nginx serves as a reverse proxy on that site, and requests for URIs that 
end with the suffix ".cfm" are proxied to Tomcat.

So I currently have something like:

location / {
     allow 10.0.0.0/24;
     deny all;
}

location /public/ {
     allow all;    # does that make sense?
}

location ~ \.cfm$ {
     ## proxy settings go here
}

Keep in mind that .cfm scripts are both in /public/ as well as in other 
directories.

How can I achieve that?
Try this instead:

    location / {
        allow ...
        deny all;

        location ~ \.cfm$ {
            ...
        }
    }

    location /public/ {
	# access allowed to all by default - unless there is 
	# something restrictive defined on previous levels

        location ~ \.cfm$ {
            ...
        }
    }

You may also find this talk interesting:

https://youtu.be/YWRYbLKsS0I


Igal Sapir
Lucee Core Developer
Lucee.org
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx