First, I have to admit that I'm a total n00b to NGINX. I have only done very basic work with it.
Now the situation. We have a reverse-proxy box in the DMZ that takes incoming connections/requests and "sends them along" to their destinations. Currently, one of these is allowing only connections from a specific subnet to be forwarded to a specific web server. This is to allow VPN user to reset a specific application password. Unfortunately, it forwards any requests for that web server's URL along.
What I want: I need to lock this down. Instead of passing "https://webserver.com/whatever_they_type" to the server, I want to block everything except for a single, specific URL. ex: "https://webserver.com/this-url/only" Everything else would get blocked.
Anyone have any thoughts on how to modify that location in NGINX to accomplish this?
Wondering if something like this would work?
location = /good_page/reset_password.html {
proxy_pass https://1.2.3.4:443;
#### Set headers ####
proxy_set_header Host webserver.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#### Only allow OpenVPN networks ###
allow 5.6.7.8/24;
deny all;
}
location ^~ /good_page {
deny all;
}
Ngnix always tries to match most specific prefix location at first so you can set two locations:
Note: When you access to http://example.com/this-url/only/ the nginx forwards to your server http:///this-url/only/if you need remove /this-url/only/ you need a rewrite rule.
Nginx Documentation