CODEWITHSUNDEEP
nginx
Sean Bollin
Sean Bollin

Reputation: 910

nginx proxy_pass and URL decoding

Original URL: /api/url%2Fencoded%2F/?with=queryParams

nginx:

location /api {
    client_max_body_size 2G;
    proxy_pass https://oursite;
}

With this configuration, I was able to preserve the URL encoding when passing through the proxy. If I add a "/" after "oursite", it will decode the URL.

Problem:

Now the URL after being proxied still contains "/api/". I need to remove "/api/" only while still preserving the URL encoded parts.

Upvotes: 15

Views: 31847

Answers (2)

hmrc87
hmrc87

Reputation: 354

Disclaimer: I am sure this looks like an hack - and maybe it is. It is using the auth-subrequest feature for something else than auth, but it works!

If you want to keep any url-encoded part after /api/ from the original $request_uri I use NJS to set a variable and use it afterwards in the proxy_pass

js_import /etc/nginx/conf.d/http.js; # Import your njs file here
js_set $encodedUrlPart 'empty'; # Define a variable

  location ~* api\/(.*)$ {
    auth_request /urlencode; #This will get executed before proxy_pass
    proxy_pass http://127.0.0.1:82/$encodedUrlPart;
}

and the http.js can look like this

function urlencode(r){
    let regex = "(?<=\/api\/)(.*$)";
    let url = r.variables.request_uri # this holds the original, non touched url
    let lastPart = url.match(regex);
    r.variables.encodedUrlPart = lastPart; 
    r.log("The encoded url part: " + r.variables.encodedUrlPart);
    r.return(200); // need to return 200 so the 'auth' doesn't fail
  }
  export default {urlencode};

Is this considered unsafe? We could do some checking in the njs part though!

Upvotes: 0

cnst
cnst

Reputation: 27228

Not a long time ago there was identical question without an answer. In my opinion, you should rething api to not have such weird URLs. Another way is to have api on subdomain. – Alexey Ten Mar 11 '15 at 22:58

stackoverflow.com/q/28684300/1016033 – Alexey Ten Mar 11 '15 at 23:01

Year-old challenge accepted!

    location /api/ {
        rewrite ^ $request_uri;
        rewrite ^/api/(.*) $1 break;
        return 400;
        proxy_pass http://127.0.0.1:82/$uri;
    }

That's it, folks!

More details at Nginx pass_proxy subdirectory without url decoding, but it does work even with the query string, too:

%  curl "localhost:81/api/url%2Fencoded%2F/?with=queryParams"
/url%2Fencoded%2F/?with=queryParams
%

Upvotes: 29

Related Questions