26 Oct, 2022

Hardening Admin Access With Nginx; Part 2

SergeantBiggs

nginxlinuxsystem administrationsecuritytechnology

259 Words

2022-10-26 20:39 +0000

In the first post of this series I wrote about web applications that use a POST request with application/x-www-form-urlencoded to send their credentials to the server. Now, how about web applications that use something else to accomplish this? I have one web application that sends the username and password as JSON, and natively Nginx can not deal with that. As a solution, I decided to use OpenResty. OpenResty is a Lua web application server based on Nginx. I’ve been using it for a little bit now, and I’m quite happy with it.

So, now we have to power of Lua at our disposal, how can we deal with this problem?

Our web application sends a request in the following format:

{
  "Username": "admin",
  "Pw": "secretpassword"
}

To extract the information, we use lua-resty-reqargs. This takes the request, and returns three values (get, post, and files). These are presented as lua tables. We can then look at the values inside the post table to get our Username value. If we find a certain string inside our variable, we send the client a 403.

local get, post, files = require "resty.reqargs"
ngx.status = ngx.HTTP_OK
local user_normalised = post.Username:lower()

if string.find(user_normalised, "admin") then
    ngx.status = 403
    ngx.exit(ngx.HTTP_FORBIDDEN)
end

Our Nginx config has the same location block, with the “jump” to our @with_admin pseudo-location.

location /authenticate {
    error_page 403 = @with_admin;
    access_by_lua_file conf/auth/application.lua;
    proxy_pass http://application;
}

location @with_admin {
    allow 192.168.1.0/24;
    allow 192.168.10.0/24;
    deny all;
    proxy_pass http://application;
}

Pretty easy, huh? I look forward to all the additional features OpenResty has to offer.

Articles from blogs I read

Final Fantasy 14 on macOS with a 36 key keyboard

Saving Eorzea with as few keys as possible

via Xe Iaso's blog August 24, 2025

Embedding Wren in Hare

I’ve been on the lookout for a scripting language which can be neatly embedded into Hare programs. Perhaps the obvious candidate is Lua – but I’m not particularly enthusiastic about it. When I was evaluating the landscape of tools which are “like Lua, but no…

via Drew DeVault's blog August 20, 2025

What is HDR, really?

HDR is about having more details in shadows and highlights. A higher dynamic range is one piece of the puzzle, but not all of it.

via Ξ July 18, 2025

ASG! 2025 CfP Closes Tomorrow!

The All Systems Go! 2025 Call for Participation Closes Tomorrow! The Call for Participation (CFP) for All Systems Go! 2025 will close tomorrow, on 13th of June! We’d like to invite you to submit your proposals for consideration to the CFP submission site quick…

via Pid Eins June 12, 2025

Generated by openring