Forum: NGINX virtual include authorization using proxy_pass and X-Accel-Redirect

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Hannes Haug (Guest)
on 2008-12-08 21:42
(Received via mailing list)
Hi all

I'd like to implement authorization using proxy_pass and
X-Accel-Redirect like

    # Pass all requests to the application server.
    # This performs access control and returns either
    # X-Accel-Redirect: /internal/... (allow)
    # or status 403 (deny).
    location / {
        proxy_path http://application_server:port
    }

    # Serve resources checked by the application.
    location /internal/ {
        internal;
        rewrite ^/internal/(.*) $1;
    }

Is there a way to enforce this authorization for virtual includes, too?
    <!--# include virtual="/internal/..."-->
seems to bypass the check since it's an internal request.

Thanks
    Hannes
Igor S. (Guest)
on 2008-12-09 13:17
(Received via mailing list)
On Mon, Dec 08, 2008 at 08:32:36PM +0100, Hannes Haug wrote:

>     # Serve resources checked by the application.
>     location /internal/ {
>         internal;
>         rewrite ^/internal/(.*) $1;
>     }
>
> Is there a way to enforce this authorization for virtual includes, too?
>     <!--# include virtual="/internal/..."-->
> seems to bypass the check since it's an internal request.

You should use some other prefix in virtual include to pass it
to the application_server:port as "/internal/..." goes directly to
location /internal/.

A side note: instead of

     location /internal/ {
         rewrite ^/internal/(.*) $1;

it's better to use

     location /internal/ {
         alias  /path/to/root/;
This topic is locked and can not be replied to.