Cookies with non-ASCII causing all endpoints to give status code 400 - cookies

I have a website using aspnetcore 2.1 and Kestrel (IIS as proxy) and someone else on our domain sets a cookie that contains non-ASCII characters. I know this is wrong, but I can't make sure they don't and I still want the cookie (otherwise it is easy just to remove it in my web.config).
The result being: Cookie is set incorrectly on one site and when the user "unknowingly" goes to our website, our website gives an error 400 on all requests.
Is there a way of removing the bad characters in the cookie header before it hits Kestrel? I thought I could use a HttpModule/Middleware/etc to remove it, but it looks like Kestrel is the first one to get a HttpContext.

No workaround at the side of dotnetcore. If you are using nginx behind of your dotnetcore application, you can delete all of the non-ascii character like that:
set_by_lua_block $cookie_ascii {
local cookie = ngx.var.http_cookie
if cookie == nil or cookie == '' then return cookie end
local cookie_ascii, n, err = ngx.re.gsub(cookie, "[^\\x00-\\x7F]", "")
return cookie_ascii
}
listen 80;
server_name example.com;
location / {
proxy_pass http://localhost:5000;
...
proxy_set_header Cookie $cookie_ascii;
...
}
}

Related

Redirect old domain to new domain, including /en/

Little stuck but I'm trying to redirect an old domain name to a new domain, which is working to a point. However, we have a long list of URLs from our old website (using the old domain). Which have /en/ appended at the end.
So the issue is when I link olddomain.com/en/old-url to newdomain.com/new-url it throws a 404 as it's not picking up the '/en/'. I've compiled a long list of 301 redirects inside the Django admin, but they don't include the '/en/'. Which is where the issue is. Ideally, I want to add something to my nginx config that tells the domain to redirect even if the /en/ is included.
So Far I have something like this:
server {
listen 80;
server_name olddomain.co.uk www.olddomain.co.uk olddomain.co.uk/en/
return 301 https://www.newdomain.co.uk$request_uri;
}
server {
HTTPS
server_name olddomain.co.uk www.olddomain.co.uk olddomain.co.uk/en/;
#return 301 https://www.newdomain.co.uk$request_uri;
listen 443;
}
Thanks in advance.

Get url parameter and save variable or cookie

I have a new installation of wordpress that replaces an old site.
In the old site there was a dynamic referl for users
mysite.com/123456 or mysite.com/somename
Now I have to be able to intercept everything that exists after / then 123456 or somename to save it in a session variable or in a cookie, (I have full access to the server).
I did some test with this code:
location / {
add_header Set-Cookie "secret_code=$args;Domain=$site_name;Path=/;Max-Age=31536000;Secure;HTTPOnly" always;
try_files $ uri $ uri / /index.php?$args;
}
But I find myself as a value other parameters, very likely for calls that makes wordpress itself
Also with this:
location ~ ^/(.+)$ {
add_header Set-Cookie "secret_code=$1;Domain=$site_name;Path=/;Max-Age=31536000;Secure;HTTPOnly" always;
try_files $ uri $ uri / /index.php?$args;
}
But this does not work nginx because it does not run PHP, and it makes them download
Which is the best way to solve this problem
Thank you guys
I'm not sure if this is all you wanted. But, here is the regex to match alphanumeric characters after '/'
Tested and works for both mysite.com/123456 and mysite.com/somename
/(?<=mysite.com\/)\w+/

Nginx password authentication keeps prompting for password

I want to upload a development branch of my website so that I can show it to clients and make tests in an environment as close to production as possible (with code that may not be ready for production). Thus I would like to password protect this site.
I'm developing a website using Django and use nginx for serving the website (with uWsgi). I manage to get prompted for password applying the following directives:
auth_basic "Restricted Content"; # also tried "Private Property"
auth_basic_user_file /etc/nginx/.htpasswd;
But the problem is that after entering the first password properly, it keeps prompting me for the user & password again; as if every API call would need to be authenticated.
I think the issue might be with my configuration file, so here's my site.conf file:
server {
listen 80;
server_name panel.mysite.dev;
root /path/to/my/app/front/dist;
### I've also tried 'auth_basic' here
location / {
root /path/to/my/app/front/dist;
index index.html;
auth_basic "Private Property";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /media {
rewrite ^(.*)$ http://media.mysite.dev$1;
}
location /static {
rewrite ^(.*)$ http://static.mysite.dev$1;
}
}
server {
listen 80;
server_name api.mysite.dev;
### I've also tried 'auth_basic' here
location /api {
client_max_body_size 25m;
uwsgi_pass unix:/tmp/api.mysite.dev.sock;
include /path/to/my/app/back/uwsgi_params;
}
}
server {
listen 80;
server_name media.mysite.dev;
root /path/to/my/app/media;
add_header 'Access-Control-Allow-Origin' '.*\.mysite\.[com|dev]';
location / {
root /path/to/my/app/media;
}
}
server {
listen 80;
server_name static.mysite.dev;
root /path/to/my/app/static;
if ($http_origin ~* (https?://.*\.mysite\.[com|dev](:[0-9]+)?)) {
set $cors "true";
}
location / {
if ($cors = "true") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
}
}
}
My question: Is there any way to remember the password once entered and allow authenticated users to navigate easily? Or am I missing something trivial?
EDIT:
In my django settings.py:
AUTHENTICATION_BACKENDS = (
'oauth2_provider.backends.OAuth2Backend',
'django.contrib.auth.backends.ModelBackend',
'allauth.account.auth_backends.AuthenticationBackend',
)
...
REST_FRAMEWORK = {
...
DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
),
Thank you very much in advance. Any help would be much appreciated
Basic authentication uses the Authorization header to transmit user and password. Django REST also uses this header in the TokenAuthentication authentication backend. Nginx does not support multiple Authorization headers, so if you try to login and use Token authentication simultaneously, things will break.
A solution requiring no changes to the Django app would be to use another means of authentication in nginx, e.g., client certificates, or, you can use the ngx_http_auth_request_module to check whether a signed session cookie is set/valid or if the request IP is in a (temporary) whitelist, and redirect the user to a page with a login form otherwise.
There is an excellent, easy and more secured way for Basic Authentication with Nginx. It is, use oAuth2_proxy which has Basic Authentication support including a web form (excellent, browser will not keep connection alive) to input user/password credentials with option to include a password file like htpasswd. It also has support for many other identity providers.
Here's my oAuth2_proxy config file for Basic Auth:
http_address = "0.0.0.0:5160" #use any port you want
upstreams = [
"https://url-that-you-want-to-protect/"
]
request_logging = false
custom_sign_in_logo = "/etc/apache2/small-email-icon.png" #custom logo on form
authenticated_emails_file = "/etc/apache2/emails" #required option, file can be empty
htpasswd_file = "/etc/apache2/.htpasswd" #basic auth password file
display_htpasswd_form = true
client_id = "hfytr76r7686887"
client_secret = "ghgh6767ghgh7654fghj6543dfgh5432"
cookie_name = "_oauth2_proxy"
cookie_secret = "ghgh6gguujgh7654fghj6543dfgh5432"
cookie_expire = "2h15m0s"
# cookie_refresh = ""
cookie_secure = true
footer = "Unauthorized access prohibited."

Can NGINX change the response code after a proxy_pass?

So I have an internal API server namespaced under /api/, and I want to pass all other requests to an Amazon S3 static site using proxy_pass. This all works fine, it's just since Amazon is serving a single page app, I want to always return the same HTML file. They way I did this with the S3 server, was to set the index and error page as the same file. It all looks fine on the surface, but for all other requests besides /, the S3 instance returns a 404. Can I use NGINX to change this to a 200 before returning it to the client?
server {
listen 80;
server_name example.com;
location /api/ {
# serve internal app
}
location / {
proxy_pass http://example.amazonaws.com/;
# ALWAYS RETURN A 200
}
}
You should be able to use the error_page and proxy_intercept_errors directives to achieve this. Something like this should do the trick.
location / {
proxy_pass http://example.amazonaws.com/;
proxy_intercept_errors on;
error_page 404 =302 /your_html_file
}
error_page
proxy_intercept_errors
You can internally rewrite all URLs to the document you want served. This avoids the error handling cycle and problematic redirects.
It would be something like (untested):
location / {
proxy_pass http://example.amazonaws.com/;
rewrite ^.* /index.html
}
Note that you will want to only use full or root-relative URLs in your doc, because you don't know if the docs is served from a subdirectory.
You'd also be wise to have JS code validate the URL and optionally redirect to one you consider valid. Otherwise 3rd party sites could link to offensive URLs and get them in search indexes!

Django Nginx X-Accel-Redirect for protected files on Webfaction

If you want to torment someone until the end of time, just get them to configure Django and Nginx X-Accel-Redirect. This is literally impossible, I have been trying for days.
I am trying to only allow certain files to be downloaded from logged in views in django using Nginx on webfaction. Here is what I have:
Custom Nginx app listening on port 27796 under /static. Here is the conf.
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 27796;
server_name myurl.com;
root /home/ucwsri/webapps/static_media_ucwsri_nginx;
location / {
autoindex on;
}
location ^.*/protected-files {
internal;
alias /home/ucwsri/webapps/static_media_ucwsri_nginx/protected;
}
All static content is in /home/ucwsri/webapps/static_media_ucwsri_nginx, and is being correctly served by this Nginx app.
The files I want protected are here:
/home/ucwsri/webapps/static_media_ucwsri_nginx/protected
Which is the alias listed under the location ^.*/protected-files block in Nginx.
The view simply makes an Http Response thus:
response = HttpResponse()
url = "/static/protected-files/some-file.pdf"
response['X-Accel-Redirect'] = url
return response
Where the 'some-file.pdf' file exists in
/home/ucwsri/webapps/static_media_ucwsri_nginx/protected
Whatever I try I get a 404 from Nginx when trying to get that file as a POST request that goes to that view. I have tried everything I can think of, every location combination block, nothing works. Always a 404.
Someone please put me out of my misery and tell me what I have done wrong. This is truly brutal for something seemingly so simple.
First, your location ^.*/protected-files is nonsense. I guess, you've missed ~ modifier, but even in that case it would be useless.
Second, you have not protected /protected/ folder. Direct request to /protected/some-file.pdf will download that file without any protection.
Third, you have /static/protected-files/some-file.pdf in X-Accel-Redirect, but you didn't mention any static folder before.
So, I would suggest following config:
server {
listen 27796;
server_name myurl.com;
root /home/ucwsri/webapps/static_media_ucwsri_nginx;
location / {
autoindex on;
}
location ^~ /protected/ {
internal;
}
And django should be:
response = HttpResponse()
url = "/protected/some-file.pdf"
response['X-Accel-Redirect'] = url
return response
Summary:
Protect real folder.
X-Accel-Redirect is URI, just think about it as if user put that URI in browser address bar. The only difference is that internal will allow access with X-Accel-Redirect while forbid direct user access from browser.