仅允许通过 nginx 反向代理包含某些 get 变量的请求

仅允许通过 nginx 反向代理包含某些 get 变量的请求

我有一个 nginx 反向代理,它将处理来自另一台服务器的 API 的回调。这些回调转到,https://callbackserver.com/?wc_api=App&secret=SECRET但我希望任何其他没有和的请求wc_apisecret被拒绝。

这是我的简单 nginx 反向代理配置...

server {
        listen 443 ssl;
        server_name redacted.domain;
        ssl_certificate /etc/letsencrypt/live/redacted.domain/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/redacted.domain/privkey.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

        location / {
                 proxy_pass_header Authorization;
                 proxy_pass http://127.0.0.1:8000;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_http_version 1.1;
                 proxy_set_header Connection "";
                 proxy_buffering off;
                 client_max_body_size 0;
                 proxy_read_timeout 36000s;
                 proxy_redirect off;
        }
}

server {
        server_name redacted.domain;
        listen 80;
        return 301 https://redacted.domain$request_uri;
}

请告诉我如何按照我上面的描述拒绝这些事情。

答案1

您可以根据正则表达式测试 $args

location / {
    if ( $args !~* "^wc_api=.+&secret=[^&;]" ) {
        return 403;
    }
    proxy_pass_header ...

相关内容