26 Oct, 2022

Hardening Admin Access With Nginx; Part 2

SergeantBiggs

nginxlinuxsystem administrationsecuritytechnology

259 Words

2022-10-26 20:39 +0000

In the first post of this series I wrote about web applications that use a POST request with application/x-www-form-urlencoded to send their credentials to the server. Now, how about web applications that use something else to accomplish this? I have one web application that sends the username and password as JSON, and natively Nginx can not deal with that. As a solution, I decided to use OpenResty. OpenResty is a Lua web application server based on Nginx. I’ve been using it for a little bit now, and I’m quite happy with it.

So, now we have to power of Lua at our disposal, how can we deal with this problem?

Our web application sends a request in the following format:

{
  "Username": "admin",
  "Pw": "secretpassword"
}

To extract the information, we use lua-resty-reqargs. This takes the request, and returns three values (get, post, and files). These are presented as lua tables. We can then look at the values inside the post table to get our Username value. If we find a certain string inside our variable, we send the client a 403.

local get, post, files = require "resty.reqargs"
ngx.status = ngx.HTTP_OK
local user_normalised = post.Username:lower()

if string.find(user_normalised, "admin") then
    ngx.status = 403
    ngx.exit(ngx.HTTP_FORBIDDEN)
end

Our Nginx config has the same location block, with the “jump” to our @with_admin pseudo-location.

location /authenticate {
    error_page 403 = @with_admin;
    access_by_lua_file conf/auth/application.lua;
    proxy_pass http://application;
}

location @with_admin {
    allow 192.168.1.0/24;
    allow 192.168.10.0/24;
    deny all;
    proxy_pass http://application;
}

Pretty easy, huh? I look forward to all the additional features OpenResty has to offer.

Articles from blogs I read

What's up with FUTO?

Some time ago, I noticed some new organization called FUTO popping up here and there. I’m always interested in seeing new organizations that fund open source popping up, and seeing as they claim several notable projects on their roster, I explored their webs…

via Drew DeVault's blog October 22, 2025

First look at the DGX Spark

A local supercomputer between the size of a Mac mini and a Mac mini.

via Xe Iaso's blog October 14, 2025

How to Sandbox a Terminal

I often pull code from remote repositories and execute it for testing. This is an area where sandboxing would be extremely beneficial.

via Ξ October 11, 2025

ASG! 2025 CfP Closes Tomorrow!

The All Systems Go! 2025 Call for Participation Closes Tomorrow! The Call for Participation (CFP) for All Systems Go! 2025 will close tomorrow, on 13th of June! We’d like to invite you to submit your proposals for consideration to the CFP submission site quick…

via Pid Eins June 12, 2025

Generated by openring