0

I have a script that load images from an external server. This script runs on many different websites and what I need is that every click on the image will be proxied so it seems that the click comes from myapp without passing any information of the origin to the external server. The only information I would like to pass are the User IP and the User-Agent

I have no control over the external server, but from their dashboard I can see that many clicks are properly masked, while some pass the origin information and I have no idea why.

Here is my nginx.conf

location /rvsprx {
    proxy_set_header Referer         "https://www.myapp.com";
    proxy_set_header Origin          "https://www.myapp.com";
    proxy_hide_header                Set-Cookie;
    proxy_ignore_headers             Set-Cookie;
    proxy_set_header                 Cookie "";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP       $remote_addr;
    #use google as dns
    resolver                         8.8.8.8;
    proxy_pass                       $arg_dest;
}

This is an example of the HTML created by the script on somesite.com

<a href="https://www.myapp.com/rvsprx?dest=https://www.externalserver.com/landing.html">
  <img src="https://www.myapp.com/rvsprx?dest=https://www.externalserver.com/someimage.jpg"
</a>

How can I properly mask the origin? There are other ways to pass information than Referer, Origin and Cookie?

Thanks in advance.

fasenderos
  • 123
  • 1
  • 4

1 Answers1

0

This should be a comment but its a bit long.

I have a script that load images from an external server

If the script works then why are you trying to replace it with a nginx config that doesn't and is insecure?

without passing any information of the origin to the external server

In web architectures the term "origin" is applied to the server supplying the content. You are applying the term to the HTTP request which makes reading your question rather difficult.

proxy_ignore_headers Set-Cookie;

An HTTP client does not offer Set-Cookie headers in requests.

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

This appears to contradict your stated requirement. As does X-Real-IP.

but from their dashboard I can see that many clicks are properly masked, while some pass the origin information and I have no idea why

Neither do we since you didn't provide any of the data here.

You are aware that the config you have created amounts to an open web proxy which is a exploitable for all sorts of nefarious practices?

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • Yes with the term 'origin' I was referring to the origin of the HTTP request, I apologize for the misunderstanding. Are you suggesting me to use the script to mask the website that is making the request? And if so how can I mask the link and the image request? – fasenderos Jun 30 '23 at 12:28
  • You said you already had a script that did that? How you write a simple proxy script is a different question than what you aked here (should be posted separately) and is off-topic here. Try Stackoverflow. – symcbean Jun 30 '23 at 12:59
  • Maybe I wasn't clear, but I said that my script (a tiny javascript) load images from an external server and create the HTML provided before, and STOP. What I need is that the requests for getting the images and for the link are masked so it seems that the requests comes from my app. So no, the script don't do that, don't **Hide the origin information to the destination server** (the topic question) and that's why I'm trying to use the reverse proxy. – fasenderos Jun 30 '23 at 13:16