editing a general location match to exclude one, specific instance?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

editing a general location match to exclude one, specific instance?

PGNet Dev
editing a general location match to exclude one, specific instance?

I run nginx 1.18.0.

I've had a trivial 'protection' rule in place for a long time

        location ~* (gulpfile\.js|settings.php|readme|schema|htpasswd|password|config) {
                deny all;
        }

That hasn't caused me any particular problems.

Recently, I've added a proxied back end app.

In logs I see

        ==> /var/log/nginx/auth.example1.com.error.log <==
         2020/05/12 22:16:39 [error] 57803#57803: *1 access forbidden by rule,
         client: 10.10.10.10, server: testapp.example1.com, request: "GET /api/configuration HTTP/2.0",
         host: "testapp.example1.com", referrer: "https://testapp.example1.com/?rd=https://example2.net/app2"

removing the "config" match from the protection rule,

- location ~* (gulpfile\.js|settings.php|readme|schema|htpasswd|password|config) {
+ location ~* (gulpfile\.js|settings.php|readme|schema|htpasswd|password) {

eliminates the problem.

I'd like to edit the match to PASS that^ logged match -- as specifically/uniquely as possible -- but CONTINUE to 'deny all' for all other/remaining matches on "config".

How would that best be done?  A preceding location match? Or editing the existing one?

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: editing a general location match to exclude one, specific instance?

J.R.
First, you forgot to escape the period in settings.php  to settings\.php

> I'd like to edit the match to PASS that^ logged match -- as
> specifically/uniquely as possible -- but CONTINUE to 'deny all'
> for all other/remaining matches on "config".

Second, it's all in the location documentation:

http://nginx.org/en/docs/http/ngx_http_core_module.html#location

The two relevant bits are, depending on how you want to handle it:

1. If the longest matching prefix location has the “^~” modifier then
regular expressions are not checked.

2. Then regular expressions are checked, in the order of their
appearance in the configuration file. The search of regular
expressions terminates on the first match...
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: editing a general location match to exclude one, specific instance?

PGNet Dev
> Second, it's all in the location documentation:

I'm not asking about the order.

I'm asking about a specific match(es) that'd work in this specific case.

If it's trivial, care to share a working example?
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: editing a general location match to exclude one, specific instance?

Francis Daly
In reply to this post by PGNet Dev
On Thu, May 14, 2020 at 11:10:20AM -0700, PGNet Dev wrote:

Hi there,

> editing a general location match to exclude one, specific instance?

It is usually easier to use positive matches instead of negative ones.

> I've had a trivial 'protection' rule in place for a long time
>
> location ~* (gulpfile\.js|settings.php|readme|schema|htpasswd|password|config) {
> deny all;
> }

> 2020/05/12 22:16:39 [error] 57803#57803: *1 access forbidden by rule,
> client: 10.10.10.10, server: testapp.example1.com, request: "GET /api/configuration HTTP/2.0",

> I'd like to edit the match to PASS that^ logged match -- as specifically/uniquely as possible -- but CONTINUE to 'deny all' for all other/remaining matches on "config".
>
> How would that best be done?  A preceding location match? Or editing the existing one?

A separate "location" that matches what you want and is "higher priority"
than the regex location that this request currently matches.

  location = /api/configuration {
    # do what you want, probably including proxy_pass
  }

You could use "location ^~ /api/configuration", if you want to allow
anything with that prefix.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx