0

Context:
- I have nginx listening on port 80 and serving static files (jpg,css,js, etc)
- if non static files, I proxypass to Apache listening at 8080
- I use "secure_link" to protect my files from being downloaded by unauthorized persons.
- I have an A record in my DNS such as:

sub1 IN A 123.45.67.89

Result:
- sub1.mydomain.org is successfully reachable.
- "secure_link" almost works successfully, I can indeed protect my file like this:

http://123.45.67.89/authorized/personal.zip?h=jrzkNDEX5ie3nALar2_uuQ&e=1371539981

Problem:
- If I replace "ip" to "subdomain", it returns an nginx 403 error :

http://sub1.mydomain.org/authorized/personal.zip?h=jrzkNDEX5ie3nALar2_uuQ&e=1371539981

Extra infos:
- Since everything works fine except the weird subdomain thing, I don't think it is necessary to paste my whole nginx.conf file?

Anyway, here it is:

user www-data;
worker_processes  2;

events {
    worker_connections  1024;
}


http {

    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay on;
    keepalive_timeout  65;

    gzip on;
    gzip_disable "msie6";

    limit_conn_zone $binary_remote_addr zone=slowuser:10m;

    server {

        listen       80;
        server_name  localhost;

        location / {
            #root   /var/www;
            #index  index.html index.htm;
            proxy_pass http://127.0.0.1:8080;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            access_log off;
            add_header Cache-Control public;
        }

        location ~* \.(jpg|jpeg|gif|css|png|js|ico|swf|mp3)$ {
            root   /var/www;
            expires        365d;
            access_log     off;
        }

        location /secretdir/ {
            deny all;
            return 403;
        }
        location /slow/ {
            secure_link $arg_h,$arg_e;
            secure_link_md5 secretkey1$uri$arg_e$remote_addr;

            if ($secure_link = "") {
                return 403;
            }

            if ($secure_link = "0") {
                return 403;
            }
            root   /var/www;
            limit_rate 25k;
            limit_conn slowuser 2;
            rewrite  ^/slow/(.*)$  /secretdir/$1  break;
        }
        location /authorized/ {
            secure_link $arg_h,$arg_e;
            secure_link_md5 secretkey2$uri$arg_e$remote_addr;

            if ($secure_link = "") {
                return 403;
            }

            if ($secure_link = "0") {
                return 403;
            }
            root   /var/www;
            rewrite  ^/authorized/(.*)$  /secretdir/$1  break;
        }

        location = /favicon.ico {
            log_not_found off;
            access_log off;
        }

    }

}

Edit:
Please note that:
- mydomain.org is hosted on Server#1, with A name for sub1 declared in it.
- sub1.mydomain.org A name redirects on Server#2, which hosts the files to protect.
- The nginx.conf file above is the one on the server#2 (sub1.mydomain.org). Server#1 (mydomain.org) is running Apache2 only.
- directories on server#2 are like this:

/var/www/
      |_ download/
      |_ index.html
Musa
  • 1
  • 2

1 Answers1

1

server_name localhost;

This is really in your nginx.conf or you faked this for SF? If you want the IP and the domain name to serve requests from the same vhost you should change your config to

listen       80  default_server;
server_name  _;

I suggest to route requests to your IP address to a valid domain name via HTTP 301 (Moved permanently).

I hope this helps.

Ben.
  • 446
  • 2
  • 4
  • Yes it's my real cfg, I just changed directories name and secretkey. I added extra infos to the first post that might be crucial : mydomain.org and sub1.mydomain.org are not on the same server. the nginx.conf here is the one from the server at sub1.mydomain.com (mydomain.org is running Apache2 only). – Musa Jun 18 '13 at 09:01