Anyone who puts an NGINX server online and looks at its access.log
a week latter will find lots of URL exploits being attempted. Every day, any time.
So what if, I was to reject any and all url parameters. What if every query string was masked with an NGINX rewrite
which would fail to match anything not defined as a rewrite
naturally returning a 404 Not Found?
Or a series of rewrites in order placed inside this always present location block?
location / {
rewrite "^/api/v1/users/?$" /api/v1/Users.php last;
rewrite "^/api/v1/users/(all|active|inactive)?$" /api/v1/Users.php?status=$1 last;
rewrite "^/api/v1/users/(\d+)/?$" /api/v1/Users.php?userId=$1 last;
}
# URL Match examples...
http://localhost/api/v1/users
http://localhost/api/v1/users/
http://localhost/api/v1/users/all
http://localhost/api/v1/users/active
http://localhost/api/v1/users/inactive
http://localhost/api/v1/users/2001
http://localhost/api/v1/users/2002
http://localhost/api/v1/users/2003
Is there a way to direct NGINX to ignore URL parameters? Feel free to let me know if this is a naive question. Perhaps I'm asking the wrong question.
Rather use
return
instead ofrewrite
because "rewrite directive can return only code 301 or 302". For this, create alocation
with a regular expression to catch the specific request uri.And if you just want to drop all of these requests return a http status 444.
Example: