5

Can I create a location which can be accessed by any other location in nginx config and cannot be accessed directly from outside?

I can use a deny directive, but it will also deny access to the locations defined in nginx config.

Here's my config - 

server {
  listen *:80;
  server_name 127.0.0.1;

  location = /auth {
      set $query '';
      if ($request_uri ~* "[^\?]+\?(.*)$") {
         set $query $1;
      }
      # add_header X-debug-message "Parameters being passed $is_args$args" always;
      proxy_pass http://127.0.0.1:8080/auth?$query;
  }

  location /kibana/ {
     rewrite ^/kibana/(.*) /$1 break;
     proxy_pass http://127.0.0.1:5601;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection 'upgrade';
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header  X-Real-IP  $remote_addr;
     proxy_cache_bypass $http_upgrade;
     auth_request /auth;
  }

  location ~ (/app/|/app/kibana|/bundles/|/kibana4|/status|/plugins|/ui/|/api/|/monitoring/|/elasticsearch/) {
     internal;
     proxy_pass http://127.0.0.1:5601;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header Host $host;
     rewrite /kibana4/(.*)$ /$1 break;
  }

  error_page 404 /404.html;
    location = /40x.html {
  }

  error_page 500 502 503 504 /50x.html;
    location = /50x.html {
  }
}

So, I need the last location to be accessible from location /kibana/ only, but with internal; it's throwing a 404 error, without it works fine.

I actually need to protect kibana with nginx, but I will effectively end up exposing it without any authentication anyways.

Mahesh H Viraktamath
  • 818
  • 3
  • 14
  • 34
  • How to you intend to access a location from another location? There is the [internal directive](http://nginx.org/en/docs/http/ngx_http_core_module.html#internal) or [named location](http://nginx.org/en/docs/http/ngx_http_core_module.html#location), neither of which can be accessed directly. – Richard Smith Oct 31 '18 at 09:24
  • I have updated my question with the relevant data – Mahesh H Viraktamath Oct 31 '18 at 09:49
  • The issue is, if I just use `/kibana`, the nginx looks for the webapp under `/usr/share/nginx/html`, which is strange! Then I added these extra locations and again proxied to the same location `127.0.0.1:5601` then it works without `internal;`, but then I can always directly access the `/app/kibana` without any authentication. – Mahesh H Viraktamath Oct 31 '18 at 11:19

1 Answers1

5

You can use something called a named location. It can't be accessed from the outside at all, but inside your config you can refer to it in some cases:

location @nginxonly {
    proxy_pass http://example.com/$uri$is_args$args;
}

After creating your named location you can refer to it in some other places like the last item in a try_files directive.

Fábio Santos
  • 3,899
  • 1
  • 26
  • 31