Home / server / Questions / 237059
Accepted
Roger
Asked: 2011-02-18 17:58:43 +0800 CST

Block access to every file in the site but index.htm in Nginx

  • 772

I have a site with just one file: index.htm which have some ajax linked to php files. I'd like to make those php files only accessible via ajax (post and get) coming from this index file and block access to all files but the index.htm. Is it possible in Nginx? Thanks.

security nginx ajax

2 Answers

  1. Best Answer

    Two thoughts:

    In the end, somebody's going to be able to get to them directly by forging headers, but it's a start.

    • 1

  2. Something like this would work:

        location ~ \.php$ {
        if ($http_referer !~* index\.htm) {
            return   403;
        }

        fastcgi_pass 127.0.0.1:9000;
        include fastcgi.conf;

        fastcgi_intercept_errors        on;
        error_page 404 /error/404.php;
    }

    Buf keep in mind that it is easy to spoof this header, for e.g.:

    $ telnet localhost 81
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /pwd.php HTTP/1.0

HTTP/1.1 403 Forbidden
Server: nginx/1.0.5
Date: Thu, 20 Oct 2011 03:06:03 GMT
Content-Type: text/html
Content-Length: 168
Connection: close

    $ telnet localhost 81
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /pwd.php HTTP/1.0
Referer: index.htm

HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Thu, 20 Oct 2011 03:06:38 GMT
Content-Type: text/html
Connection: close

/var/www/localhost/htdocs

    $ curl localhost:81/pwd.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.0.5</center>
</body>
</html>

    $ curl --referer index.htm localhost:81/pwd.php
/var/www/localhost/htdocs
    • 1