Hardening Admin Access With Nginx; Part 2

In the first post of this series I wrote about web applications that use a POST request with application/x-www-form-urlencoded to send their credentials to the server. Now, how about web applications that use something else to accomplish this? I have one web application that sends the username and password as JSON, and natively Nginx can not deal with that. As a solution, I decided to use OpenResty. OpenResty is a Lua web application server based on Nginx. I’ve been using it for a little bit now, and I’m quite happy with it.

So, now we have to power of Lua at our disposal, how can we deal with this problem?

Our web application sends a request in the following format:

{
  "Username": "admin",
  "Pw": "secretpassword"
}

To extract the information, we use lua-resty-reqargs. This takes the request, and returns three values (get, post, and files). These are presented as lua tables. We can then look at the values inside the post table to get our Username value. If we find a certain string inside our variable, we send the client a 403.

local get, post, files = require "resty.reqargs"
ngx.status = ngx.HTTP_OK
local user_normalised = post.Username:lower()

if string.find(user_normalised, "admin") then
    ngx.status = 403
    ngx.exit(ngx.HTTP_FORBIDDEN)
end

Our Nginx config has the same location block, with the “jump” to our @with_admin pseudo-location.

location /authenticate {
    error_page 403 = @with_admin;
    access_by_lua_file conf/auth/application.lua;
    proxy_pass http://application;
}

location @with_admin {
    allow 192.168.1.0/24;
    allow 192.168.10.0/24;
    deny all;
    proxy_pass http://application;
}

Pretty easy, huh? I look forward to all the additional features OpenResty has to offer.