FAQ Suggestions

I
Ivo
  • 19 Feb '23
1. is this mailing list the correct place to suggest additions to the FAQ?

2. why does

location /wth { root /var/www/fcgi-bin/; index wth-root.html; }


not resolve '/wth' (but incidentally does resolve '/wth-root.html',
though not '/wth-root').

I have been scratching my head about this for the longest time.
N
nanaya
  • 19 Feb '23
Hi

On Sun, Feb 19, 2023, at 10:27, Ivo Welch wrote:
> 2. why does
>
> ```
> location /wth {
>    root /var/www/fcgi-bin/;
>    index wth-root.html;
>  }
> ```
>
> not resolve '/wth' (but incidentally does resolve '/wth-root.html',
> though not '/wth-root').
>

it's one of the common confusions. Just /wth doesn't trigger index listing as it doesn't end with a forward slash. /wth-root does match because /wth matches anything that starts with /wth (some people seem to think it matches /wth/ directory but it really doesn't - it's just prefix matching after all).

If you have /var/www/fcgi-bin/wtha.html file and try accessing /wtha.html, it'll return that file, for example. Same with /wth-root.html as you experienced. 

Back to /wth, it'll try to return file /var/www/fcgi-bin/wth (which probably doesn't exist).

If what you actually want is to to match /wth/, it needs to be `location /wth/`. Although then it can't be accessed through /wth as it doesn't match anymore (unless it exists as directory in other location like `location /`). In which case I usually add `location = /wth { return 302 /wth/; }` to fix this one special case.
S
Saint
  • 19 Feb '23
>
> I have two locations

/xxxxx
/yyyyyy

the public one is /yyyyy, nobody is supposed to access /xxxxx from the
Internet.
Inside /yyyy, I call /xxxxx, but if I do this:

location /asrxxxx {
default_type  'text/html; charset=UTF-8';
allow 127.0.0.1;
 deny all;

it fails with forbidden. But I am using only from another location inside
the same server.

How do I protect internal service locations and at the same time use them?

>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/cd5f23f8/attachment.htm>
F
Francis
  • 19 Feb '23
On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:

Hi there,

> it fails with forbidden. But I am using only from another location inside
> the same server.
> 
> How do I protect internal service locations and at the same time use them?

If you are asking "how do I ensure that a location{} can only be used for
internal redirects/requests", then you want http://nginx.org/r/internal

Cheers,

    f
-- 
Francis Daly        francis at daoine.org
F
Francis
  • 19 Feb '23
On Sat, Feb 18, 2023 at 05:27:45PM -0800, Ivo Welch wrote:

Hi there,

> 1. is this mailing list the correct place to suggest additions to the FAQ?

It's as good a place as any, yes.

> 2. why does
> 
> ```
> location /wth {
>    root /var/www/fcgi-bin/;
>    index wth-root.html;
>  }
> ```
> 
> not resolve '/wth' (but incidentally does resolve '/wth-root.html',
> though not '/wth-root').

What test makes you believe that "location /wth" does not resolve the
request "/wth", in your config?

> I have been scratching my head about this for the longest time.

What other location{}s are in this config, which you might have told
nginx to use instead of this one?

Can you show one example config that shows the problem?

For example, if I use:

server { listen 10080; root /tmp/r; location /wth { root /tmp/w; index w.html; } }


then "curl http://localhost:10080/wth" redirects me to
http://localhost:10080/wth/; and "curl http://localhost:10080/wth/"
gets me the content of /tmp/w/wth/w.html.

Do you see or expect something different?

Thanks,

    f
-- 
Francis Daly        francis at daoine.org
S
Saint
  • 19 Feb '23
Dear Francis
it does not work:
404 Not Found

this is my code
location /asrxxxx {
default_type  'text/html; charset=UTF-8';
internal;
....

}

location /carrier_00163e1bb23c {
default_type  'text/html; charset=UTF-8';
....

}

in the public location,  /carrier_00163e1bb23c, I have
</div>
<iframe src="/asrxxxx">
    Your browser does not support iframes
</iframe>
</div>

so how do I block the public from looking at my HTML and executing directly
/asrxxxx?
Is this a bug?
many thanks for your help.
Philip

On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org> wrote:

> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>
> Hi there,
>
> > it fails with forbidden. But I am using only from another location inside
> > the same server.
> >
> > How do I protect internal service locations and at the same time use
> them?
>
> If you are asking "how do I ensure that a location{} can only be used for
> internal redirects/requests", then you want http://nginx.org/r/internal
>
> Cheers,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/f77afcd5/attachment.htm>
I
Ivo
  • 20 Feb '23
thank you, F.  I created a completely new ubuntu VM, with a completely
vanilla configuration and only this one extra location statement at
http://164.67.176.22/  , describing the nginx configuration and
referencing its /wth, and it's not working :-( .

On Sun, Feb 19, 2023 at 5:37 AM Francis Daly <francis at daoine.org> wrote:
>
> On Sat, Feb 18, 2023 at 05:27:45PM -0800, Ivo Welch wrote:
>
> Hi there,
>
> > 1. is this mailing list the correct place to suggest additions to the FAQ?
>
> It's as good a place as any, yes.
>
> > 2. why does
> >
> > ```
> > location /wth {
> >    root /var/www/fcgi-bin/;
> >    index wth-root.html;
> >  }
> > ```
> >
> > not resolve '/wth' (but incidentally does resolve '/wth-root.html',
> > though not '/wth-root').
>
> What test makes you believe that "location /wth" does not resolve the
> request "/wth", in your config?
>
> > I have been scratching my head about this for the longest time.
>
> What other location{}s are in this config, which you might have told
> nginx to use instead of this one?
>
> Can you show one example config that shows the problem?
>
> For example, if I use:
>
> ```
> server {
>         listen 10080;
>         root /tmp/r;
>         location /wth {
>                 root /tmp/w;
>                 index w.html;
>         }
> }
> ```
>
> then "curl http://localhost:10080/wth" redirects me to
> http://localhost:10080/wth/; and "curl http://localhost:10080/wth/"
> gets me the content of /tmp/w/wth/w.html.
>
> Do you see or expect something different?
>
> Thanks,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
I
Ivo
  • 20 Feb '23
please ignore previous email.  nanaya has an explanation that I need
to explore.  I think this would make a great example for an FAQ...

On Sat, Feb 18, 2023 at 10:27 PM nanaya <me at nanaya.net> wrote:
>
> Hi
>
> On Sun, Feb 19, 2023, at 10:27, Ivo Welch wrote:
> > 2. why does
> >
> > ```
> > location /wth {
> >    root /var/www/fcgi-bin/;
> >    index wth-root.html;
> >  }
> > ```
> >
> > not resolve '/wth' (but incidentally does resolve '/wth-root.html',
> > though not '/wth-root').
> >
>
> it's one of the common confusions. Just /wth doesn't trigger index listing as it doesn't end with a forward slash. /wth-root does match because /wth matches anything that starts with /wth (some people seem to think it matches /wth/ directory but it really doesn't - it's just prefix matching after all).
>
> If you have /var/www/fcgi-bin/wtha.html file and try accessing /wtha.html, it'll return that file, for example. Same with /wth-root.html as you experienced.
>
> Back to /wth, it'll try to return file /var/www/fcgi-bin/wth (which probably doesn't exist).
>
> If what you actually want is to to match /wth/, it needs to be `location /wth/`. Although then it can't be accessed through /wth as it doesn't match anymore (unless it exists as directory in other location like `location /`). In which case I usually add `location = /wth { return 302 /wth/; }` to fix this one special case.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
P
Payam
  • 20 Feb '23
You need to learn two things:
1- learn to read the page and understand what the expected result should be
2- google!

Your problem has been well covered thousands of times before.

Your 404 is expected error code when you are accessing the website from
external.

Also, read
https://nginx.org/en/docs/http/ngx_http_access_module.html

On Sun, Feb 19, 2023 at 6:34 AM Saint Michael <venefax at gmail.com> wrote:

> Dear Francis
> it does not work:
> 404 Not Found
>
> this is my code
> location /asrxxxx {
> default_type  'text/html; charset=UTF-8';
> internal;
> ....
>
> }
>
> location /carrier_00163e1bb23c {
> default_type  'text/html; charset=UTF-8';
> ....
>
> }
>
> in the public location,  /carrier_00163e1bb23c, I have
> </div>
> <iframe src="/asrxxxx">
>     Your browser does not support iframes
> </iframe>
> </div>
>
> so how do I block the public from looking at my HTML and executing
> directly /asrxxxx?
> Is this a bug?
> many thanks for your help.
> Philip
>
>
>
>
>
>
>
> On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org> wrote:
>
>> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>>
>> Hi there,
>>
>> > it fails with forbidden. But I am using only from another location
>> inside
>> > the same server.
>> >
>> > How do I protect internal service locations and at the same time use
>> them?
>>
>> If you are asking "how do I ensure that a location{} can only be used for
>> internal redirects/requests", then you want http://nginx.org/r/internal
>>
>> Cheers,
>>
>>         f
>> --
>> Francis Daly        francis at daoine.org
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-- 
Payam Tarverdyan Chychi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/46a9337d/attachment-0001.htm>
S
Saint
  • 20 Feb '23
I also tried

deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;

and it does not work. It uses the remote IP of the caller.

So Nginx does not have a way to do this.

Thanks doe confirming it.

On Sun, Feb 19, 2023 at 10:32 PM Payam Chychi <pchychi at gmail.com> wrote:

> You need to learn two things:
> 1- learn to read the page and understand what the expected result should be
> 2- google!
>
> Your problem has been well covered thousands of times before.
>
> Your 404 is expected error code when you are accessing the website from
> external.
>
> Also, read
> https://nginx.org/en/docs/http/ngx_http_access_module.html
>
>
>
>
> On Sun, Feb 19, 2023 at 6:34 AM Saint Michael <venefax at gmail.com> wrote:
>
>> Dear Francis
>> it does not work:
>> 404 Not Found
>>
>> this is my code
>> location /asrxxxx {
>> default_type  'text/html; charset=UTF-8';
>> internal;
>> ....
>>
>> }
>>
>> location /carrier_00163e1bb23c {
>> default_type  'text/html; charset=UTF-8';
>> ....
>>
>> }
>>
>> in the public location,  /carrier_00163e1bb23c, I have
>> </div>
>> <iframe src="/asrxxxx">
>>     Your browser does not support iframes
>> </iframe>
>> </div>
>>
>> so how do I block the public from looking at my HTML and executing
>> directly /asrxxxx?
>> Is this a bug?
>> many thanks for your help.
>> Philip
>>
>>
>>
>>
>>
>>
>>
>> On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org> wrote:
>>
>>> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>>>
>>> Hi there,
>>>
>>> > it fails with forbidden. But I am using only from another location
>>> inside
>>> > the same server.
>>> >
>>> > How do I protect internal service locations and at the same time use
>>> them?
>>>
>>> If you are asking "how do I ensure that a location{} can only be used for
>>> internal redirects/requests", then you want http://nginx.org/r/internal
>>>
>>> Cheers,
>>>
>>>         f
>>> --
>>> Francis Daly        francis at daoine.org
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> --
> Payam Tarverdyan Chychi
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/8f4f2064/attachment.htm>
P
Payam
  • 20 Feb '23
Yes it does, but you are not providing enough on what you are doing, only
what you want to do.

Run developer tools and see what your ip address is reported as.

On Sun, Feb 19, 2023 at 7:54 PM Saint Michael <venefax at gmail.com> wrote:

> I also tried
>
> deny  192.168.1.1;
>     allow 192.168.1.0/24;
>     allow 10.1.1.0/16;
>     allow 2001:0db8::/32;
>     deny  all;
>
>
> and it does not work. It uses the remote IP of the caller.
>
>
> So Nginx does not have a way to do this.
>
> Thanks doe confirming it.
>
>
>
> On Sun, Feb 19, 2023 at 10:32 PM Payam Chychi <pchychi at gmail.com> wrote:
>
>> You need to learn two things:
>> 1- learn to read the page and understand what the expected result should
>> be
>> 2- google!
>>
>> Your problem has been well covered thousands of times before.
>>
>> Your 404 is expected error code when you are accessing the website from
>> external.
>>
>> Also, read
>> https://nginx.org/en/docs/http/ngx_http_access_module.html
>>
>>
>>
>>
>> On Sun, Feb 19, 2023 at 6:34 AM Saint Michael <venefax at gmail.com> wrote:
>>
>>> Dear Francis
>>> it does not work:
>>> 404 Not Found
>>>
>>> this is my code
>>> location /asrxxxx {
>>> default_type  'text/html; charset=UTF-8';
>>> internal;
>>> ....
>>>
>>> }
>>>
>>> location /carrier_00163e1bb23c {
>>> default_type  'text/html; charset=UTF-8';
>>> ....
>>>
>>> }
>>>
>>> in the public location,  /carrier_00163e1bb23c, I have
>>> </div>
>>> <iframe src="/asrxxxx">
>>>     Your browser does not support iframes
>>> </iframe>
>>> </div>
>>>
>>> so how do I block the public from looking at my HTML and executing
>>> directly /asrxxxx?
>>> Is this a bug?
>>> many thanks for your help.
>>> Philip
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org> wrote:
>>>
>>>> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>>>>
>>>> Hi there,
>>>>
>>>> > it fails with forbidden. But I am using only from another location
>>>> inside
>>>> > the same server.
>>>> >
>>>> > How do I protect internal service locations and at the same time use
>>>> them?
>>>>
>>>> If you are asking "how do I ensure that a location{} can only be used
>>>> for
>>>> internal redirects/requests", then you want http://nginx.org/r/internal
>>>>
>>>> Cheers,
>>>>
>>>>         f
>>>> --
>>>> Francis Daly        francis at daoine.org
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> --
>> Payam Tarverdyan Chychi
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-- 
Payam Tarverdyan Chychi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/570231e2/attachment.htm>
S
Saint
  • 20 Feb '23
It uses the original IP of the user, not of the server.
That's why the ALLOW..DENY does not work either.
Nobody thought about this in Nginx.

On Sun, Feb 19, 2023 at 11:00 PM Payam Chychi <pchychi at gmail.com> wrote:

> Yes it does, but you are not providing enough on what you are doing, only
> what you want to do.
>
> Run developer tools and see what your ip address is reported as.
>
> On Sun, Feb 19, 2023 at 7:54 PM Saint Michael <venefax at gmail.com> wrote:
>
>> I also tried
>>
>> deny  192.168.1.1;
>>     allow 192.168.1.0/24;
>>     allow 10.1.1.0/16;
>>     allow 2001:0db8::/32;
>>     deny  all;
>>
>>
>> and it does not work. It uses the remote IP of the caller.
>>
>>
>> So Nginx does not have a way to do this.
>>
>> Thanks doe confirming it.
>>
>>
>>
>> On Sun, Feb 19, 2023 at 10:32 PM Payam Chychi <pchychi at gmail.com> wrote:
>>
>>> You need to learn two things:
>>> 1- learn to read the page and understand what the expected result should
>>> be
>>> 2- google!
>>>
>>> Your problem has been well covered thousands of times before.
>>>
>>> Your 404 is expected error code when you are accessing the website from
>>> external.
>>>
>>> Also, read
>>> https://nginx.org/en/docs/http/ngx_http_access_module.html
>>>
>>>
>>>
>>>
>>> On Sun, Feb 19, 2023 at 6:34 AM Saint Michael <venefax at gmail.com> wrote:
>>>
>>>> Dear Francis
>>>> it does not work:
>>>> 404 Not Found
>>>>
>>>> this is my code
>>>> location /asrxxxx {
>>>> default_type  'text/html; charset=UTF-8';
>>>> internal;
>>>> ....
>>>>
>>>> }
>>>>
>>>> location /carrier_00163e1bb23c {
>>>> default_type  'text/html; charset=UTF-8';
>>>> ....
>>>>
>>>> }
>>>>
>>>> in the public location,  /carrier_00163e1bb23c, I have
>>>> </div>
>>>> <iframe src="/asrxxxx">
>>>>     Your browser does not support iframes
>>>> </iframe>
>>>> </div>
>>>>
>>>> so how do I block the public from looking at my HTML and executing
>>>> directly /asrxxxx?
>>>> Is this a bug?
>>>> many thanks for your help.
>>>> Philip
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org>
>>>> wrote:
>>>>
>>>>> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>>>>>
>>>>> Hi there,
>>>>>
>>>>> > it fails with forbidden. But I am using only from another location
>>>>> inside
>>>>> > the same server.
>>>>> >
>>>>> > How do I protect internal service locations and at the same time use
>>>>> them?
>>>>>
>>>>> If you are asking "how do I ensure that a location{} can only be used
>>>>> for
>>>>> internal redirects/requests", then you want
>>>>> http://nginx.org/r/internal
>>>>>
>>>>> Cheers,
>>>>>
>>>>>         f
>>>>> --
>>>>> Francis Daly        francis at daoine.org
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>> --
>>> Payam Tarverdyan Chychi
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> --
> Payam Tarverdyan Chychi
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/537b5fc3/attachment-0001.htm>
P
Payam
  • 20 Feb '23
You need to be more clear on what you are trying to do so we can help you.
Draw a diagram or something with the details.

You can use authentication and use that to protect and use at the same time
but again, you have left out some critical details as to what you are tying
to accomplish.

Nginx is powerful, you can write rules to do almost anything, but first you
need to figure out what you want to do.

On Sun, Feb 19, 2023 at 8:24 PM Saint Michael <venefax at gmail.com> wrote:

> It uses the original IP of the user, not of the server.
> That's why the ALLOW..DENY does not work either.
> Nobody thought about this in Nginx.
>
>
> On Sun, Feb 19, 2023 at 11:00 PM Payam Chychi <pchychi at gmail.com> wrote:
>
>> Yes it does, but you are not providing enough on what you are doing, only
>> what you want to do.
>>
>> Run developer tools and see what your ip address is reported as.
>>
>> On Sun, Feb 19, 2023 at 7:54 PM Saint Michael <venefax at gmail.com> wrote:
>>
>>> I also tried
>>>
>>> deny  192.168.1.1;
>>>     allow 192.168.1.0/24;
>>>     allow 10.1.1.0/16;
>>>     allow 2001:0db8::/32;
>>>     deny  all;
>>>
>>>
>>> and it does not work. It uses the remote IP of the caller.
>>>
>>>
>>> So Nginx does not have a way to do this.
>>>
>>> Thanks doe confirming it.
>>>
>>>
>>>
>>> On Sun, Feb 19, 2023 at 10:32 PM Payam Chychi <pchychi at gmail.com> wrote:
>>>
>>>> You need to learn two things:
>>>> 1- learn to read the page and understand what the expected result
>>>> should be
>>>> 2- google!
>>>>
>>>> Your problem has been well covered thousands of times before.
>>>>
>>>> Your 404 is expected error code when you are accessing the website from
>>>> external.
>>>>
>>>> Also, read
>>>> https://nginx.org/en/docs/http/ngx_http_access_module.html
>>>>
>>>>
>>>>
>>>>
>>>> On Sun, Feb 19, 2023 at 6:34 AM Saint Michael <venefax at gmail.com>
>>>> wrote:
>>>>
>>>>> Dear Francis
>>>>> it does not work:
>>>>> 404 Not Found
>>>>>
>>>>> this is my code
>>>>> location /asrxxxx {
>>>>> default_type  'text/html; charset=UTF-8';
>>>>> internal;
>>>>> ....
>>>>>
>>>>> }
>>>>>
>>>>> location /carrier_00163e1bb23c {
>>>>> default_type  'text/html; charset=UTF-8';
>>>>> ....
>>>>>
>>>>> }
>>>>>
>>>>> in the public location,  /carrier_00163e1bb23c, I have
>>>>> </div>
>>>>> <iframe src="/asrxxxx">
>>>>>     Your browser does not support iframes
>>>>> </iframe>
>>>>> </div>
>>>>>
>>>>> so how do I block the public from looking at my HTML and executing
>>>>> directly /asrxxxx?
>>>>> Is this a bug?
>>>>> many thanks for your help.
>>>>> Philip
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org>
>>>>> wrote:
>>>>>
>>>>>> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>>>>>>
>>>>>> Hi there,
>>>>>>
>>>>>> > it fails with forbidden. But I am using only from another location
>>>>>> inside
>>>>>> > the same server.
>>>>>> >
>>>>>> > How do I protect internal service locations and at the same time
>>>>>> use them?
>>>>>>
>>>>>> If you are asking "how do I ensure that a location{} can only be used
>>>>>> for
>>>>>> internal redirects/requests", then you want
>>>>>> http://nginx.org/r/internal
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>>         f
>>>>>> --
>>>>>> Francis Daly        francis at daoine.org
>>>>>> _______________________________________________
>>>>>> nginx mailing list
>>>>>> nginx at nginx.org
>>>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>>>
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>> --
>>>> Payam Tarverdyan Chychi
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> --
>> Payam Tarverdyan Chychi
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-- 
Payam Tarverdyan Chychi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230219/1e17bd63/attachment.htm>
S
Saint
  • 20 Feb '23
Thanks for your patience.
I publish a report, which takes 1 minute to complete.
So I send the users to a spinner, which has an Iframe inside.
While the spinner spins, the iframe runs the report from the /internal
location.
Once the report is ready, the spinner hides the div and replaces the
internal HTML with the one from the Iframe.
I haven't found any other way to display a spinner covering the whole
screen while I get the report underneath. Once the report shows some images
at the top, the spinner disappears, but then it takes a minute for the real
data to display.
Any ideas?

On Sun, Feb 19, 2023 at 11:52 PM Payam Chychi <pchychi at gmail.com> wrote:

> You need to be more clear on what you are trying to do so we can help you.
> Draw a diagram or something with the details.
>
> You can use authentication and use that to protect and use at the same
> time but again, you have left out some critical details as to what you are
> tying to accomplish.
>
> Nginx is powerful, you can write rules to do almost anything, but first
> you need to figure out what you want to do.
>
>
>
> On Sun, Feb 19, 2023 at 8:24 PM Saint Michael <venefax at gmail.com> wrote:
>
>> It uses the original IP of the user, not of the server.
>> That's why the ALLOW..DENY does not work either.
>> Nobody thought about this in Nginx.
>>
>>
>> On Sun, Feb 19, 2023 at 11:00 PM Payam Chychi <pchychi at gmail.com> wrote:
>>
>>> Yes it does, but you are not providing enough on what you are doing,
>>> only what you want to do.
>>>
>>> Run developer tools and see what your ip address is reported as.
>>>
>>> On Sun, Feb 19, 2023 at 7:54 PM Saint Michael <venefax at gmail.com> wrote:
>>>
>>>> I also tried
>>>>
>>>> deny  192.168.1.1;
>>>>     allow 192.168.1.0/24;
>>>>     allow 10.1.1.0/16;
>>>>     allow 2001:0db8::/32;
>>>>     deny  all;
>>>>
>>>>
>>>> and it does not work. It uses the remote IP of the caller.
>>>>
>>>>
>>>> So Nginx does not have a way to do this.
>>>>
>>>> Thanks doe confirming it.
>>>>
>>>>
>>>>
>>>> On Sun, Feb 19, 2023 at 10:32 PM Payam Chychi <pchychi at gmail.com>
>>>> wrote:
>>>>
>>>>> You need to learn two things:
>>>>> 1- learn to read the page and understand what the expected result
>>>>> should be
>>>>> 2- google!
>>>>>
>>>>> Your problem has been well covered thousands of times before.
>>>>>
>>>>> Your 404 is expected error code when you are accessing the website
>>>>> from external.
>>>>>
>>>>> Also, read
>>>>> https://nginx.org/en/docs/http/ngx_http_access_module.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Feb 19, 2023 at 6:34 AM Saint Michael <venefax at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Dear Francis
>>>>>> it does not work:
>>>>>> 404 Not Found
>>>>>>
>>>>>> this is my code
>>>>>> location /asrxxxx {
>>>>>> default_type  'text/html; charset=UTF-8';
>>>>>> internal;
>>>>>> ....
>>>>>>
>>>>>> }
>>>>>>
>>>>>> location /carrier_00163e1bb23c {
>>>>>> default_type  'text/html; charset=UTF-8';
>>>>>> ....
>>>>>>
>>>>>> }
>>>>>>
>>>>>> in the public location,  /carrier_00163e1bb23c, I have
>>>>>> </div>
>>>>>> <iframe src="/asrxxxx">
>>>>>>     Your browser does not support iframes
>>>>>> </iframe>
>>>>>> </div>
>>>>>>
>>>>>> so how do I block the public from looking at my HTML and executing
>>>>>> directly /asrxxxx?
>>>>>> Is this a bug?
>>>>>> many thanks for your help.
>>>>>> Philip
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Feb 19, 2023 at 8:20 AM Francis Daly <francis at daoine.org>
>>>>>> wrote:
>>>>>>
>>>>>>> On Sun, Feb 19, 2023 at 01:52:12AM -0500, Saint Michael wrote:
>>>>>>>
>>>>>>> Hi there,
>>>>>>>
>>>>>>> > it fails with forbidden. But I am using only from another location
>>>>>>> inside
>>>>>>> > the same server.
>>>>>>> >
>>>>>>> > How do I protect internal service locations and at the same time
>>>>>>> use them?
>>>>>>>
>>>>>>> If you are asking "how do I ensure that a location{} can only be
>>>>>>> used for
>>>>>>> internal redirects/requests", then you want
>>>>>>> http://nginx.org/r/internal
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>>         f
>>>>>>> --
>>>>>>> Francis Daly        francis at daoine.org
>>>>>>> _______________________________________________
>>>>>>> nginx mailing list
>>>>>>> nginx at nginx.org
>>>>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>>>>
>>>>>> _______________________________________________
>>>>>> nginx mailing list
>>>>>> nginx at nginx.org
>>>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>>>
>>>>> --
>>>>> Payam Tarverdyan Chychi
>>>>> _______________________________________________
>>>>> nginx mailing list
>>>>> nginx at nginx.org
>>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>>
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx at nginx.org
>>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>> --
>>> Payam Tarverdyan Chychi
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> https://mailman.nginx.org/mailman/listinfo/nginx
>>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> --
> Payam Tarverdyan Chychi
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230220/33e2d326/attachment-0001.htm>
N
nanaya
  • 20 Feb '23
Hi,

On Mon, Feb 20, 2023, at 10:51, Ivo Welch wrote:
> please ignore previous email.  nanaya has an explanation that I need
> to explore.  I think this would make a great example for an FAQ...
>

As explained by Francis, I forgot to mention the part that "root /tmp/w" in a "location /wth" means accessing /tmp/w/wth for /wth and if it's a directory - as it would usually be - it'll return redirect to /wth/ which will then check /tmp/w/wth/ for the index file.

If you want /wth/a.html to return content of /tmp/w/a.html instead of /tmp/w/wth/a.html, use alias instead of root (although there may be other complications when combined with fastcgi for example).
F
Francis
  • 20 Feb '23
On Sun, Feb 19, 2023 at 05:49:48PM -0800, Ivo Welch wrote:

Hi there,

> thank you, F.  I created a completely new ubuntu VM, with a completely
> vanilla configuration and only this one extra location statement at
> http://164.67.176.22/  , describing the nginx configuration and
> referencing its /wth, and it's not working :-( .

For the convenience of future searchers, it would be better to include
the content at that url in the mail directly.

In this particular case, I suspect that the key line is

> try /wth, which nginx should resolve to
> /var/www/fcgi-bin/wth-root.html. However, this causes a 404 error.

When you make the request to /wth and get the 404 response, what is
written in the nginx error log? That will tell you what nginx thought
that nginx was doing; if that does not match what you thought that nginx
should be doing, that might point at the problem.

I suspect that the issue is a misunderstanding of what "root" does --
http://nginx.org/r/root. That content also includes a link to "alias",
which might be what you want, depending on what you want to have happen.

Good luck with it,

    f
-- 
Francis Daly        francis at daoine.org
F
Francis
  • 20 Feb '23
On Sun, Feb 19, 2023 at 09:33:46AM -0500, Saint Michael wrote:

Hi there,

> it does not work:
> 404 Not Found

It appears that you are not asking "how do I ensure that a location{}
can only be used for internal redirects/requests".

> in the public location,  /carrier_00163e1bb23c, I have
> <iframe src="/asrxxxx">
>     Your browser does not support iframes
> </iframe>

> so how do I block the public from looking at my HTML and executing directly
> /asrxxxx?

You don't.

> Is this a bug?

It's a misunderstanding on your part of how the requests from the browser
to the server work.

Right now, your question is "how do I block people from accessing a
URL, while also allowing them to access the URL". And the answer is
"you can't, reliably".

The thing that you want to achieve, can't be achieved using the plan
that you are currently following.

In the tradition of "the XY problem": if you will describe the thing
that you want to achieve, instead of just a part of the current thing
that you are doing to attempt to achieve it, then it may be that someone
can suggest a way to achieve it.

I do see a later mail that has some more details; but on first glance
it seems to be describing your current solution, rather than the problem.

Cheers,

    f
-- 
Francis Daly        francis at daoine.org
P
Payam
  • 20 Feb '23
+1 Francis

Saint, I wonder if this might satisfy your ask indirectly.

Assign a secondary ip address to a nic, and redirect to that ip for your
iframe processing.

Then you can apply a more specific ACL at host or nginx level to control
iframe reachability, or even use a ip address thats only reachable to your
internal users.

The more correct way of doing all of this is through secure user session
management with authentication and authorization.

Good luck
-Payam

On Mon, Feb 20, 2023 at 4:35 AM Francis Daly <francis at daoine.org> wrote:

> On Sun, Feb 19, 2023 at 09:33:46AM -0500, Saint Michael wrote:
>
> Hi there,
>
> > it does not work:
> > 404 Not Found
>
> It appears that you are not asking "how do I ensure that a location{}
> can only be used for internal redirects/requests".
>
> > in the public location,  /carrier_00163e1bb23c, I have
> > <iframe src="/asrxxxx">
> >     Your browser does not support iframes
> > </iframe>
>
> > so how do I block the public from looking at my HTML and executing
> directly
> > /asrxxxx?
>
> You don't.
>
> > Is this a bug?
>
> It's a misunderstanding on your part of how the requests from the browser
> to the server work.
>
> Right now, your question is "how do I block people from accessing a
> URL, while also allowing them to access the URL". And the answer is
> "you can't, reliably".
>
> The thing that you want to achieve, can't be achieved using the plan
> that you are currently following.
>
> In the tradition of "the XY problem": if you will describe the thing
> that you want to achieve, instead of just a part of the current thing
> that you are doing to attempt to achieve it, then it may be that someone
> can suggest a way to achieve it.
>
> I do see a later mail that has some more details; but on first glance
> it seems to be describing your current solution, rather than the problem.
>
> Cheers,
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-- 
Payam Tarverdyan Chychi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230220/e02017ea/attachment.htm>
S
Saint
  • 20 Feb '23
Thanks.
I am considering the options.

On Mon, Feb 20, 2023 at 1:21 PM Payam Chychi <pchychi at gmail.com> wrote:

> +1 Francis
>
> Saint, I wonder if this might satisfy your ask indirectly.
>
> Assign a secondary ip address to a nic, and redirect to that ip for your
> iframe processing.
>
> Then you can apply a more specific ACL at host or nginx level to control
> iframe reachability, or even use a ip address thats only reachable to your
> internal users.
>
> The more correct way of doing all of this is through secure user session
> management with authentication and authorization.
>
> Good luck
> -Payam
>
> On Mon, Feb 20, 2023 at 4:35 AM Francis Daly <francis at daoine.org> wrote:
>
>> On Sun, Feb 19, 2023 at 09:33:46AM -0500, Saint Michael wrote:
>>
>> Hi there,
>>
>> > it does not work:
>> > 404 Not Found
>>
>> It appears that you are not asking "how do I ensure that a location{}
>> can only be used for internal redirects/requests".
>>
>> > in the public location,  /carrier_00163e1bb23c, I have
>> > <iframe src="/asrxxxx">
>> >     Your browser does not support iframes
>> > </iframe>
>>
>> > so how do I block the public from looking at my HTML and executing
>> directly
>> > /asrxxxx?
>>
>> You don't.
>>
>> > Is this a bug?
>>
>> It's a misunderstanding on your part of how the requests from the browser
>> to the server work.
>>
>> Right now, your question is "how do I block people from accessing a
>> URL, while also allowing them to access the URL". And the answer is
>> "you can't, reliably".
>>
>> The thing that you want to achieve, can't be achieved using the plan
>> that you are currently following.
>>
>> In the tradition of "the XY problem": if you will describe the thing
>> that you want to achieve, instead of just a part of the current thing
>> that you are doing to attempt to achieve it, then it may be that someone
>> can suggest a way to achieve it.
>>
>> I do see a later mail that has some more details; but on first glance
>> it seems to be describing your current solution, rather than the problem.
>>
>> Cheers,
>>
>>         f
>> --
>> Francis Daly        francis at daoine.org
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> https://mailman.nginx.org/mailman/listinfo/nginx
>>
> --
> Payam Tarverdyan Chychi
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230220/5b6a294e/attachment-0001.htm>
S
Saint
  • 21 Feb '23
I am using openresty
nginx -version
nginx version: openresty/1.21.4.1

>  foreach $domain in $server_name {
>>
>         ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem;
>         ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem;
>     }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230221/f20995a3/attachment.htm>
Reply