2

I hope that someone can help me here as I have very limited knowledge about server related stuff.

I have a WordPress site where I want to limit the /wp-content/uploads/ directory access to logged in users only. For this I have used the workaround as specified in the following link on an Nginx server:

https://wordpress.stackexchange.com/questions/37144/how-to-protect-uploads-if-user-is-not-logged-in

And this solution works fine. However, there is a problem.

I have some PDFs embedded via Google doc embed on certain pages. The Google doc embed uses <iframe> to load the PDFs as follows:

<iframe src="//docs.google.com/viewer?url=https://link-to-file.pdf&amp;hl=en_US&amp;embedded=true" class="" style="width:100%; height:500px; border: none;" scrolling="no"></iframe>

My Nginx rule is as follows:

location ~* /(?:uploads)/* {
   rewrite /wp-content/uploads/(.*)$ /dl-file.php?file=$1;
}

How can I exclude above iframe or //docs.google.com URL from this rule?

Any help would be highly appreciated.

MrWhite
  • 12,647
  • 4
  • 29
  • 41
bakar
  • 21
  • 1
  • By excluding the Google docs viewer you are essentially making the PDFs publicly available... so why not just make the PDFs publicly available? Alternatively, are the IP address(es) that Google requests these documents with consistent? – MrWhite Nov 10 '21 at 17:14

1 Answers1

0

You can use referrers (http://nginx.org/en/docs/http/ngx_http_referer_module.html#valid_referers)

valid_referers none blocked server_names docs.google.com;

Than you can just use $invalid_referer variable in your location block.

if ($invalid_referer) {
    rewrite /wp-content/uploads/(.*)$ /dl-file.php?file=$1;
}
JFK
  • 1
  • Sorry but this does not work. Looks like it does not even validate the former nginx rule. – bakar Nov 09 '21 at 17:50
  • It might be that the `doc.google.com` viewer does not send correct HTTP referrer header when it requests the file for display. If this is the case, you need to find some other PDF viewer. – Tero Kilkanen Nov 09 '21 at 21:56
  • Add $http_refferer to your log (https://docs.nginx.com/nginx/admin-guide/monitoring/logging/) and check what, if anything, google is sending to you. – JFK Nov 09 '21 at 22:00
  • @TeroKilkanen, thank you for the comment. You are right, there is no referrer in the access log. Finally, I have decided to use a different pdf viewer plugin. – bakar Nov 10 '21 at 17:03
  • @JFK, thank you for the comment. Looks like google is not sending any referrer and that is the cause above rule did not work. Thanks for the help btw. – bakar Nov 10 '21 at 17:04