Virtual include authorization using proxy_pass and X-Accel-Redirect

Hannes_Haug · 2008-12-08 20:42:02 UTC

Hi all

I’d like to implement authorization using proxy_pass and
X-Accel-Redirect like

# Pass all requests to the application server.
# This performs access control and returns either
# X-Accel-Redirect: /internal/... (allow)
# or status 403 (deny).
location / {
    proxy_path http://application_server:port
}

# Serve resources checked by the application.
location /internal/ {
    internal;
    rewrite ^/internal/(.*) $1;
}

Is there a way to enforce this authorization for virtual includes, too?

seems to bypass the check since it’s an internal request.

Thanks
Hannes

Hannes_Haug · 2008-12-09 12:17:23 UTC

On Mon, Dec 08, 2008 at 08:32:36PM +0100, Hannes Haug wrote:

# Serve resources checked by the application.
location /internal/ {
    internal;
    rewrite ^/internal/(.*) $1;
}
Is there a way to enforce this authorization for virtual includes, too?

seems to bypass the check since it’s an internal request.

You should use some other prefix in virtual include to pass it
to the application_server:port as “/internal/…” goes directly to
location /internal/.

A side note: instead of

 location /internal/ {
     rewrite ^/internal/(.*) $1;

it’s better to use

 location /internal/ {
     alias  /path/to/root/;