Filtering the $query_string in Nginx

Question

How would I best filter traffic based on the request URI? What I'd like to do is limit access to the script some-script.php when only a certain argument list is given. For instance, allow everyone to reach user_info with associated user_id value, but deny everyone access to action=admin_login unless their IP address is on the LAN.

I know if is evil and allow all won't work as shown below but I can't seem to find what I'm wanting to do.

location ~* /live/some-script\.php {

   // allow "?action=user_info&user_id=[0-9]{1,6}"
   if ($request_uri ~* "action=bwg_frontend_data" ) {
      allow all;
   }

  // deny everyone access to "?action=admin_login", but allow 192.168.100.0/24
  if ($request_uri ~* "?action=admin_login.*")
  {
      allow from 192.168.100.0/24;
  }

  return 403;
}

score 4 · Accepted Answer · answered Jan 08 '19 at 12:03

What you are trying to match is not the $request_uri, but the $query_string.

$request_uri in your case is /live/some-script.php , while $args is everything after ? (easy way to explain it to simplify this). I will be leaving the links on where you can be helped on what you want, as I can't comment your post because I have not enough reputation.

For matching the querystring:

https://gist.github.com/psd/3884613

Nginx - Redirect based on query string parameters

There is also another way with custom errors, but I kinda don't like it( you can use it if you want, it's a personal opinion):

Can nginx location blocks match a URL query string?

map $query_string $is_admin {
    ~ action=admin_login.* 1; # admin = 1
}
map $query_string $is_user {
    ~ action=bwg_frontend_data 1; #admin = 1
}
#default is empty, so it will not match the "if below".

Then inside your server code, you match $is_admin and $is_user with an if.

location ~* /live/some-script\.php {

   // allow "?action=user_info&user_id=[0-9]{1,6}"
   if ($is_user) {
      allow all;
   }

  // deny everyone access to "?action=admin_login", but allow 192.168.100.0/24
  if ($is_admin)
  {
      allow from 192.168.100.0/24;
      deny_all; #deny anyone but the allowed ones = https://support.hypernode.com/knowledgebase/blocking-allowing-ip-addresses-in-nginx/
  }

  return 403;
}

I'm just giving you the theoretical way of doing it, as I can't see your whole config, just comment if it's right or if it's not, so I can edit it adapting it on what you want. I hope it's what you are asking for.

score 0 · Answer 2 · answered Sep 23 '23 at 07:20

Good afternoon, everyone. In any case, you will need filtering not only fields, but also filtering forms, URL links, etc. I have not been looking for a similar solution for a long time, but for other purposes, and found an article on the Internet where the filtering function is described in detail. The truth is there is a php solution. Here https://cryptoxer.ru/forum/url-php-help / it says how to do it, I will not duplicate this superfluous. You can study the article in detail yourself and get something useful for yourself. There is a working code written there, take it and use it in your project.

Filtering the $query_string in Nginx

2 Answers2