Opened 6 years ago
Closed 6 years ago
#1414 closed defect (invalid)
ACLs have no effect for root location with `return 301 ...` or `rewrite ... permanent`
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.12.x |
| Keywords: | access rewrite | Cc: | |
| uname -a: | Linux someserver 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.12.1
built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.2j 26 Sep 2016 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --http-client-body-temp-path=/run/shm/body_temp --http-proxy-temp-path=/run/shm/proxy_temp --http-fastcgi-temp-path=/run/shm/fastcgi_temp --http-uwsgi-temp-path=/run/shm/uwsgi_temp --http-scgi-temp-path=/run/shm/scgi_temp --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-mail --with-http_v2_module --with-http_geoip_module --with-select_module --with-http_auth_request_module --with-poll_module --with-debug |
||
Description
I had to configure new server entry for simply redirecting clients with IPs from whitelist to another URL, and the rest of clients should have seen 403 Forbidden answer. Obvious configuration:
server {
listen 80;
server_name someserver.ru;
allow 10.0.0.0/8;
deny all;
location {
return 301 http://anotherurl.com;
}
}
However, nginx with this configuration was returning 301 to all clients, even those not in allowed list.
Tried using rewrite ^/.*$ http://anotherurl.com permanent; instead of return 301 - same results.
Tried moving allow/deny into location / {}, moving return/rewrite outside location / {} (e.g. into server context) - same results.
The only thing that changed this behavior was removing allow line, leaving deny all - after that server began answering 403 to all requests.
Finally I came to the following workaround:
server {
listen 127.0.5.6:321;
return 301 http://anotherurl.com;
}
server {
listen 80;
server_name someserver.ru;
allow 10.0.0.0/8;
deny all;
location / {
proxy_pass http://127.0.5.6:321;
}
}
But that looks crutchy, doesn't it?
There are no exceptions described in documentation, so I guess this behavior of nginx is wrong and should be fixed to respect ACLs.
The rewrite module directives are used to conditionally select appropriate configurations, see docs. As such, they are executed before any other module checks, including
allow/denyandauth_basic.Removing
allowline won't help either - if it does in your case, you probably missed something.If you want to do checks before given rewrite directives, you can do so by using
if(which is a rewrite module directive, and hence are executed sequentially as specified in the configuration). Something like this should work:geo $blocked { default 1; 10.0.0.0/8 0; } server { listen 80; server_name example.com; if ($blocked) { return 403; } return 301 http://secret.example.com/; }