TransWikia.com

NGINX deny all except websockets for Flask app

Server Fault Asked by Igniter on January 1, 2021

I have an Ubuntu server running Flask app under nginx, this is my conf:

upstream flaskapp {
  server 127.0.0.1:5000 fail_timeout=0;
}

server {
  listen 80;
  server_name _;
  location / {
    add_header "Access-Control-Allow-Origin" "http://localhost, https://website";
    try_files $uri @proxy_to_app;
  }

  location @proxy_to_app {
    proxy_pass http://flaskapp;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }
} 

server {
  listen 443;

  ssl on;
  ssl_certificate      /etc/letsencrypt/live/server/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/server/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_prefer_server_ciphers on;
  
  location / {
    add_header "Access-Control-Allow-Origin" "http://localhost, https://website";
    try_files $uri @proxy_to_app;
  }

  location @proxy_to_app {
    proxy_pass http://flaskapp;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }
}

There might be a lot of redundant code, since I compiled it from many sources but it works as intended.
Also I observe a lot incoming requests from all types of botnets checking my routes like this:

43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:20] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php HTTP/1.1" 404 356 0.000558
(1805) accepted ('127.0.0.1', 34590)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:22] "GET /sqladmin/index.php HTTP/1.1" 404 356 0.000541
(1805) accepted ('127.0.0.1', 34592)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:22] "GET /sql/index.php HTTP/1.1" 404 356 0.000506
(1805) accepted ('127.0.0.1', 34594)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:23] "GET /SQL/index.php HTTP/1.1" 404 356 0.000543
(1805) accepted ('127.0.0.1', 34596)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:23] "GET /websql/index.php HTTP/1.1" 404 356 0.000570
(1805) accepted ('127.0.0.1', 34598)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:23] "GET /MySQLAdmin/index.php HTTP/1.1" 404 356 0.000566
(1805) accepted ('127.0.0.1', 34600)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:24] "GET /manager/html HTTP/1.1" 404 356 0.000642
(1805) accepted ('127.0.0.1', 34602)
43.226.152.131,127.0.0.1 - - [20/Jul/2020 14:41:24] "POST /axis2/axis2-admin/login HTTP/1.1" 404 356 0.000606
(1805) accepted ('127.0.0.1', 34610)
128.14.134.134,127.0.0.1 - - [20/Jul/2020 14:43:12] "GET / HTTP/1.1" 404 356 0.000507

And this is my own request which is processed correctly:

53.129.29.157,127.0.0.1 - - [20/Jul/2020 20:49:33] "GET /socket.io/?client=KbDHcPsvwELKRJCCFKleAA6HLy&EIO=3&transport=polling&t=NDj_I0I HTTP/1.1" 200 437 0.001434
(1805) accepted ('127.0.0.1', 35076)

I would like to deny all incoming POST and GET requests except for /socket.io/ with client/transport args (plus SSH on 22 to that machine of course).
This is my try which doesn’t work (possibly I need some nested location construction):

location = /socket.io/ {
  limit_except GET {
    deny all;
  }
}

How can I deny everything except GET requests to a specified location with args?

flasknginxsocket.iowebsocket

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP