File upload authorization

A fastcgi application receives an uploaded file only after it has been
uploaded, how do you then prevent just anyone (or anything) from
uploading a
file?

thank you,
Sergej

isnt this a higher level question unrelated to nginx? perhaps your
back end software ?

I don’t like the idea that anyone is able to upload a file to my server
(up
to client_max_body_size), without authorizing himself. Maybe I’m
paranoid.
I was just wondering if there is a way to do authorization first. I
can’t
find anything in the wiki but nginx configuration is full of clever ways
to
do something that are not apparent.

You could try using a combination of auth_basic and limit_except to
prohibit PUT/POST.

Cheers

Dave

On Mon, Dec 03, 2007 at 07:22:40AM +0100, Rapsey wrote:

I don’t like the idea that anyone is able to upload a file to my server (up
to client_max_body_size), without authorizing himself. Maybe I’m paranoid.
I was just wondering if there is a way to do authorization first. I can’t
find anything in the wiki but nginx configuration is full of clever ways to
do something that are not apparent.

If you use basic authorization, then as it was suggested you may use

location /upload/ {

   limit_expect  GET  {
       auth_basic    ...
       auth_basic_user_file
   }

Yeah that’s what I wanted to do initially. auth_basic + ajax that would
authenticate and receive a username/password for upload (the username
and
password would be changed every few seconds). The problem is that you
cant
authenticate and upload at the same time with javascript. Asking a user
to
write in a password is out of the question.

On Mon, Dec 03, 2007 at 08:49:34AM +0100, Rapsey wrote:

Yeah that’s what I wanted to do initially. auth_basic + ajax that would
authenticate and receive a username/password for upload (the username and
password would be changed every few seconds). The problem is that you cant
authenticate and upload at the same time with javascript. Asking a user to
write in a password is out of the question.

No way, nginx does not communicate to backend until it will get whole
body.

Hi there Igor et al,

How do I make

location ~ .php$ {
// fastcgi stuff
}

co-operate with

location ~ /admin/.* {
// auth_basic stuff
}

so that anything under /admin/ requires a username & password, but PHP
still serves the php files?

At the moment the “~ .php$” block seems to be taking precedence,
meaning that e.g. /admin/index.php is served without a username &
password, which is not what I intend. I’ve tried various combinations
but none have done exactly what I want; I’m sure it’s simple!

Thanks,
Igor


Igor C. // POKE // 10 Redchurch Street // E2 7DD // +44 (0)20 7749
5355 // www.pokelondon.com


We like good things. So we made some for Orange.
http://www.goodthingsshouldneverend.co.uk/

On 12/5/07, Igor S. [email protected] wrote:

location ^~ /admin/ {
    # auth_basic stuff

    location ~ \.php$ {
        # fastcgi stuff
    }
}

This has bugged me, too. It results in unnecessary config duplication.
It sure would be useful to have a kind of block that “cut through” all
locations, similar to Lighttpd’s condition blocks.

Alexander.

On Wed, Dec 05, 2007 at 03:20:48PM +0000, Igor C. wrote:

location ~ /admin/.* {
// auth_basic stuff
}

so that anything under /admin/ requires a username & password, but PHP
still serves the php files?

At the moment the “~ .php$” block seems to be taking precedence,
meaning that e.g. /admin/index.php is served without a username &
password, which is not what I intend. I’ve tried various combinations
but none have done exactly what I want; I’m sure it’s simple!

location ~ \.php$ {
    # fastcgi stuff
}

location ^~ /admin/ {
    # auth_basic stuff

    location ~ \.php$ {
        # fastcgi stuff
    }
}

Alexander S. ha scritto:

location ^~ /admin/ {
    # auth_basic stuff

    location ~ \.php$ {
        # fastcgi stuff
    }
}

This has bugged me, too. It results in unnecessary config duplication.

You can always use the include directive.

Manlio P.

On Wed, Dec 05, 2007 at 04:50:42PM +0100, Alexander S. wrote:

locations, similar to Lighttpd’s condition blocks.
The “cut through” is good when you have pair of locations.
One of my site has 110 locations now. When I add new location I have to
see http and server levels only. I have not to look carefully all 110
locations to see if there is something that may affect the new location.

I call this configuration scalability.

Cool, thanks Igor.

On 5 Dec 2007, at 17:14, Manlio P. wrote:

}

You can always use the include directive.

Manlio P.


Igor C. // POKE // 10 Redchurch Street // E2 7DD // +44 (0)20 7749
5355 // www.pokelondon.com


We like good things. So we made some for Orange.
http://www.goodthingsshouldneverend.co.uk/

Oh, and thanks Alex and Manlio! :wink:

On 5 Dec 2007, at 18:25, Igor C. wrote:

combinations
}

http://getonboard.wwf.org.uk/


Igor C. // POKE // 10 Redchurch Street // E2 7DD // +44 (0)20 7749
5355 // www.pokelondon.com


We like good things. So we made some for Orange.
http://www.goodthingsshouldneverend.co.uk/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs