Nginx $server_name in if statement - variables

It seems like this is not working:
server_name blabla.bla;
location ~* (wp-comments-posts|wp-login)\.php$ {
if ($http_referer !~ ^(http://$servername) ) {
return 405;
}
}
While
server_name blabla.bla;
location ~* (wp-comments-posts|wp-login)\.php$ {
if ($http_referer !~ ^(http://blabla.bla) ) {
return 405;
}
}
works just fine. Is this expected and if so why? Or am I doing something wrong here?

Regular expressions are compiled while reading configuration, thus they cannot contain variables.
Also please note:
http://wiki.nginx.org/IfIsEvil
http://nginx.org/en/docs/http/ngx_http_referer_module.html

If you have the referer module you might like this one, this will ONLY allow the current server names to be valid referrers. All others will return as 405 error.
location ~* (wp-comments-post)\.php$ {
valid_referers server_names;
if ( $invalid_referer ) {
return 405;
}
### Do your stuff here
}

Related

How to inject location directive into Kong

I'm trying to inject a nginx location directive into kong but it's not working as expected
In kong.conf I have
nginx_proxy_include = /u01/nginx/custom-nginx.conf
In custom-nginx.conf I have location /doc { alias /some/path; }
Yet it's not being injected into nginx-kong.conf which remains untouched:
# .......
# injected nginx_admin_* directives
location / {
default_type application/json;
content_by_lua_block {
Kong.admin_content()
}
header_filter_by_lua_block {
Kong.admin_header_filter()
}
}
location /nginx_status {
internal;
access_log off;
stub_status;
}
location /robots.txt {
return 200 'User-agent: *\nDisallow: /';
}

in akka-http, how to match a path segment with an optional end slash?

this path directive of akka http matches /hello
lazy val userRoutes: Route = cors() {
path(Segment) { p => ... }
how can I match both /hello and /hello/ (optional end slash)?
After reading the doc https://doc.akka.io/docs/akka-http/current/routing-dsl/directives/path-directives/index.html#pathdirectives
I've tried as follows, but it does not compile:
lazy val userRoutes: Route = cors() {
rawPathPrefix(Slash ~ Segment ~ pathEndOrSingleSlash) { p => ... }
Akka-Http provides path directives using which you can solve the following.
val route =
pathPrefix("hello") {
pathEndOrSingleSlash {
complete("/hello")
}
}
https://doc.akka.io/docs/akka-http/current/routing-dsl/directives/path-directives/pathEndOrSingleSlash.html

Redirect HTTPS on multidomain Varnish

i have got two domain based on same framework (magento2)
domain1.it
domain2.com
I would like to redirect them to their respective SSL version.
https://domain1.it
https://domain2.com
Domain 1 is correctly configured to redirect to HTTPS and my varnish Config file is:
sub vcl_recv {
if ( (req.http.host ~ "^(?i)www.domain1.it" || req.http.host ~ "^(?i)domain1.it") && req.http.X-Forwarded-Proto !~ "(?i)https") {
return (synth(750, ""));
}
sub vcl_synth {
if (resp.status == 750) {
set resp.status = 301;
set resp.http.Location = "https://domain1.it" + req.url;
return(deliver);
}
the problem is the synth always redirect to the same domain.
I should add an if condition where i could call a subroutines that redirect to https for domain2
For the love of everything that is good, please stop using otherworldly status codes, 301 and 302 are perfectly fine, clearer and save you a line.
I would advise against using x-forwarded-proto and use an SSL/TLS terminator that supports the PROXY protocol, but since this is what you have, here you go:
sub vcl_recv {
if (req.http.X-Forwarded-Proto !~ "https") {
set req.http.location = "https://" + req.http.host + req.url;
return(synth(301));
}
}
sub vcl_synth {
if (resp.status == 301 || resp.status == 302) {
set resp.http.location = req.http.location;
return (deliver);
}
}
relevant link: https://info.varnish-software.com/blog/rewriting-urls-with-varnish-redirection
Bitnami Engineer here. I just reviewed the Varnish documentation and found this:
sub vcl_recv {
if (client.ip != "127.0.0.1" && std.port(server.ip) == 80 && req.http.host ~ "^(?i)example.com") {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
}
}
sub vcl_synth {
if (resp.status == 850) {
set resp.http.Location = req.http.x-redir;
set resp.status = 302;
return (deliver);
}
}
This is useful when you want to redirect the clients to an SSL-version of your site. More info here:
https://varnish-cache.org/trac/wiki/VCLExampleRedirectInVCL

Varnish not ignoring subdomain despite vcl rules

I am running a basic lamp server with apache on port 80, and varnish on port 81. I am attempting to exclude a subdomain of the primary site entirely, however I have had no luck in doing so thus far, and I'm not sure why.
As you can see below, I have a rule in place to A) skip logged in users on the subdomain, and B) skip the subdomain entirely. Neither of these seem to work however. Is there something wrong with my vcl configuration?
backend default {
.host = "my.server.ip.address";
.port = "80";
}
sub vcl_recv {
call identify_device;
# Allow the back-end to serve up stale content if it is responding slowly.
set req.grace = 2m;
# Always cache the following file types for all users.
if ( req.url ~ "(?i)\.(png|gif|jpeg|jpg|ico|swf|css|js|html|htm)(\?[a-z0-9]+)?$" ) {
unset req.http.cookie;
}
# Don't serve cached pages to logged in users
if ( req.http.cookie ~ "wordpress_logged_in" || req.url ~ "vaultpress=true" ) {
return( pass );
}
#Lets skip the logged in users on subdomain too!
if ( req.http.cookie ~ "dmr_user" ) {
return (pass);
}
#skip subdomain.domain.com
if (req.http.host ~ "subdomain.domain.com") {
return (pass);
}
#Following for WooCommerce and comments
if (req.url ~ "^/(cart|my-account|checkout|addons|wp-comments-post)") {
return (pass);
}
#Lets skip the logged in users on entries too!
if ( req.http.cookie ~ "dmr_user" ) {
return (pass);
}
if ( req.url ~ "\?add-to-cart=" ) {
return (pass);
}
# Drop any cookies sent to WordPress.
if ( ! ( req.url ~ "wp-(login|admin)" ) ) {
unset req.http.cookie;
}
}
sub vcl_fetch {
if (beresp.ttl < 180s) {
set beresp.ttl = 180s;
}
if (!(req.url ~ "wp-(login|admin)")) {
unset beresp.http.set-cookie;
}
}
sub vcl_hash {
hash_data(req.http.X-Device);
}
sub vcl_deliver {
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
}
You are only skipping the processing of the subdomain halfway into your handling, ie instructions are executed in order. Moving the skip domain check directly at the top of sub vcl_recv should ensure no other rules gets executed against requests to that subdomain.
Well guys, it turns out that what I needed was to use pipe instead of pass.
#skip subdomain.domain.com
if (req.http.host ~ "subdomain.domain.com") {
return (pass);
}
is now
#skip subdomain.domain.com
if (req.http.host ~ "subdomain.domain.com") {
return (pipe);
}
I also went ahead and moved it up to the top of the config. Altogether it works like a charm now. Thanks to everyone for their help!

Magento 1.7 REST API nginx rewrite rule. api.php no executed

all
If I open the link http://example.com/api/rest/products, it just downloaded api.php, and not the script is executed.
what can it be?
there is my nginx rules for magento site
location /api {
rewrite ^/api/rest /api.php?type=rest break;
}
location / {
index index.html index.php;
try_files $uri $uri/ #handler;
expires 30d;
}
location ~ (/(app/|includes/|lib/|/pkginfo/|var/|report/config.xml)|/\.svn/|/.hta.+) {
deny all;
}
location ^~ /(app|includes|lib|media/downloadable|pkginfo|report/config.xml|var)/ { internal; }
location /var/export/ { internal; }
location /. { return 404; }
location #handler { rewrite / /index.php; }
location ~* .php/ { rewrite ^(.*.php)/ $1 last; }
location ~* .php$ {
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params;
}
I saw that post, too, and got the same thing.
I changed the rule from break to last and things seem to work now:
location /api {
rewrite ^/api/rest /api.php?type=rest last;
}
I believe it works this way because last re-scans the rewrites and can execute your '.php' location directive, where break only considers the current location block (/api). Source: http://wiki.nginx.org/HttpRewriteModule#rewrite
you should write this in your nginx configuration:
location /api
{
rewrite ^/api/rest /api.php?type=rest last;
rewrite ^/api/v2_soap /api.php?type=v2_soap last;
rewrite ^/api/soap /api.php?type=soap last;
}