2

I'm trying to setup nginx in order to match certain URL on server where conditional access is granted (i.e. only those with valid client certificate are allowed to access this area).

Right now, simple location block works fine preventing access to unauthorized users:

location ~ ^/protected/ticketing {
         if ($ssl_client_verify != SUCCESS) { return 401; }
#need treatment of php files here after SUCCESS = $ssl_client_verify ?!
}

So no one can access /protected/ticketing/anyThingHere

BUT. When you actually present a valid certificate, and this return 401 does not trigger, /protected/ticketing/index.php is not parsed by an upstream FPM server but instead is presented for download (i.e. content disposition is set to default octet stream).

Is there an elegant way of doing this?

My upstream is defined as:

upstream backend {
server unix:/var/run/php5-fpm.sock;
}

PHP handler location block:

location ~ [^/]\.php(/|$) {
 fastcgi_split_path_info ^(.+?\.php)(/.*)$;
 if (!-f $document_root$fastcgi_script_name){return 404;}
 fastcgi_pass backend; #pass request to the upstream
 fastcgi_index index.php;
 include fastcgi_params;
}
Improve this question
2
  • 1
    Can you please try adding try_files $uri $uri/ =404; into your ^/protected/ticketing section? It sends you file, because your sections are not inherit and if request is catched with ticketing, that wont be processed with further locations by-default. Commented Mar 17, 2016 at 14:28
  • I did try something similar. I tested your proposal, but still got php to be downloaded. Accept-Ranges: bytes Connection: keep-alive Content-Length: 19581 Content-Type: application/octet-stream Date: Thu, 17 Mar 2016 16:18:29 GMT Etag: "55e0699c-4c7d" Last-Modified: Fri, 28 Aug 2015 14:01:00 GMT Server: nginx Commented Mar 17, 2016 at 16:19

2 Answers 2

Reset to default
1

Actually, using if at location is considered evil by nginx crew. Might be an option to use maps here. For example

map $uri $secured_url {
        default false;
        "~*/secret" true;
}

map "$secured_url:$ssl_client_verify" $return_unauthorized {
        default 0;
        "true:FAILED" 1;
        "true:NONE" 1;
        "true:" 1;
}

Where "~*/secret" is location you're trying to secure (in your case that will be "~/protected/ticketing").

Then you could just add if ($return_unauthorized) { return 401; } at server directive level.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Actually not in this case, also recommended by nginx crew. So this is an exception but I do agree in general that should be avoided. Regarding my issue and your solution, I'm not sure that's the best approach. It seems complicated. All I need is basically to instruct nginx to talk to the upstream, that's it.
0

I ended up with nested location solution. It's dirty and I'm sure there must be better solution than this out there. 

location ~ [^/]\.php(/|$) {
# 
#... other PHP related settings 
#... other PHP related settings 
#

fastcgi_pass backend;

location ~ ^/protected/ticketing {
        #check X.509
        if ($ssl_client_verify != SUCCESS) {return 401;}

fastcgi_pass backend; #this was still mandatory even though parent (.php) block already had this directive, but w/o putting pass here PHP won't get interpreted?!

}

}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.