0

Example request - http://localhost/iframe?ip=192.168.0.237

I want to proxy pass the request to the value of IP and remove the path and args after localhost/ .

Ideally the proxy_pass should point to 192.168.0.237 and the URL should be http://localhost/.

localhost /iframe {
    rewrite ^/(iframe/.*)$ http://localhost/ permanent;
    proxy_pass $arg_ip;
}

I'm not sure whether rewrite is the proper way to address this problem.

Nirmal
  • 549
  • 1
  • 9
  • 24

1 Answers1

0

I would use the argument ip and a rewrite to remove the iframe location

server {
   listen 8085;
   location /iframe {
      rewrite ^/iframe(.*)$ /$1 break;
      proxy_pass http://$arg_ip;
   }
}

server {
  listen 8080;
  location / { return 200 "$host$uri"; }
}

Security Notice

I just have a feeling you should whilelist the upstream servers accepted as arguments. If not this will be a wildcard proxy to every single http-server reachable in the network. This is a easy to use SSRF attack vector. So please add some extra layer of security.

SSRF Explained:

Let's say we use this configuration without any further security. Given the folowing NGINX config:

server {
   listen 8085;
   location /iframe {
      rewrite ^/iframe(.*)$ /$1 break;
      proxy_pass http://$arg_ip;
   }
}

# Server for iframe service
server {
  listen 8080;
  root /usr/share/nginx/;
  location / { return 200 "$host$uri\n"; }
}

# Private Server Section here! 
server {
  listen 8086;
  allow 127.0.0.1;
  deny all;
   .....
  location / {
    index welcome.html;
  }

}

Trying to reach the secret server directly

curl -v EXTERNALIP:8086

will fail with HTTP 403.

The NGINX will just allow connections form localhost/127.0.0.1 as defined in the allow/deny directives.

But lets try the iframe with the ip argument.

$# curl localhost:8085/iframe?ip=127.0.0.1:8086
Welcome to our very secure server! Internals only!

It prints the content of the secret server. Whitlisting a proxy-pass like this is never a good idea regardless its working or not.

Timo Stark
  • 2,721
  • 1
  • 10
  • 23
  • Thanks one question, 1.I tried the code out, in the rewrite path I simply want the URL to be localhost/ . I dont need the ip=$val , because I want this to be passed to proxy URL. Is this a good way, I'm not sure if this is possible. 2. Is it to better to add some header and then pass the IP value in header and then extract it in localhost / path? The IP is just used to render iframe of the site. – Nirmal Mar 30 '21 at 17:24
  • Basically 192.168.0.237 is the site which is being rendered in an iframe – Nirmal Mar 30 '21 at 17:27
  • dont get your questions here. In my example i can make a reuqest to `curl localhost:8085/iframe?ip=127.0.0.1:8080`. Based on my rewrite the URI in my server block listen on `8080` will be /. Can you try to explain what exactly your requests will look like?? – Timo Stark Mar 30 '21 at 21:24
  • Or are you talking about a redirect? first request is `iframe?ip=...` and then we are using 302 to redirect to localhost but show to reponse from the proxy-request? – Timo Stark Mar 30 '21 at 21:29