Hardening Admin Access With Nginx; Part 2

SergeantBiggs

nginxlinuxsystem administrationsecuritytechnology

259 Words

2022-10-26 20:39 +0000


In the first post of this series I wrote about web applications that use a POST request with application/x-www-form-urlencoded to send their credentials to the server. Now, how about web applications that use something else to accomplish this? I have one web application that sends the username and password as JSON, and natively Nginx can not deal with that. As a solution, I decided to use OpenResty. OpenResty is a Lua web application server based on Nginx. I’ve been using it for a little bit now, and I’m quite happy with it.

So, now we have to power of Lua at our disposal, how can we deal with this problem?

Our web application sends a request in the following format:

{
  "Username": "admin",
  "Pw": "secretpassword"
}

To extract the information, we use lua-resty-reqargs. This takes the request, and returns three values (get, post, and files). These are presented as lua tables. We can then look at the values inside the post table to get our Username value. If we find a certain string inside our variable, we send the client a 403.

local get, post, files = require "resty.reqargs"
ngx.status = ngx.HTTP_OK
local user_normalised = post.Username:lower()

if string.find(user_normalised, "admin") then
    ngx.status = 403
    ngx.exit(ngx.HTTP_FORBIDDEN)
end

Our Nginx config has the same location block, with the “jump” to our @with_admin pseudo-location.

location /authenticate {
    error_page 403 = @with_admin;
    access_by_lua_file conf/auth/application.lua;
    proxy_pass http://application;
}

location @with_admin {
    allow 192.168.1.0/24;
    allow 192.168.10.0/24;
    deny all;
    proxy_pass http://application;
}

Pretty easy, huh? I look forward to all the additional features OpenResty has to offer.

Articles from blogs I read

Anubis works

That meme is not an understatement, Anubis has been deployed by the United Nations. For your amusement, here is how the inner monologue of me finding out about this went: AoiWhat. You can't be serious, can you?CadeyIt's real.…

via Xe Iaso's blog April 12, 2025

A Firefox addon for putting prices into perspective

I had a fun idea for a small project this weekend, and so I quickly put it together over the couple of days. The result is Price Perspective. Humor me: have you ever bought something, considered the price, and wondered how that price would look to someone el…

via Drew DeVault's blog April 4, 2025

I don't really like OIDC

I will look into this single sign-on protocol and figure out why it is so darn complicated.

via Ξ January 7, 2025

Announcing systemd v257

Last week we released systemd v257 into the wild. In the weeks leading up to this release (and the week after) I have posted a series of serieses of posts to Mastodon about key new features in this release, under the #systemd257 hash tag. In case you aren'…

via Pid Eins December 17, 2024

Generated by openring