NginX: how to rewrite response body and headers?

nginx filtering http-authentication

Context

I have a collection of static HTML pages (~10k pages) generated by some application over which I have no control. These pages are served by NginX from a location block.

Pages may contain sensitive data. I would like to be able to block page display depending on user identity and "flags" in the page.

These flags can be implemented by a <meta name=keyword content="flag1 flag2 flagn"> element. When such an element is present, "credentials" should be checked.

My idea is to scan the request response before letting it be returned to the user. For this, I need

  • a way to pass the full response (header + body) to some custom code so that the <head> element can be parsed If there are no flags, the response is returned unaltered
    If there are flags and user has no credentials, he is asked to identify himself
    If there are flags and user has right to see, the response is returned unaltered
    If there are flags and user has no right to see, an error page is returned instead of the response


    Eventually, the flag <meta> element is erased to avoid leaking filter hints.

  • some way to pass to this user code information about the current credentials (user name, challenge value, any useful information like identification time-stamp, …)

The user code would rely on a "database" (this term doesn't necessarily imply the use of a true DB engine) containing user privileges and implement a timeout function.

Can the user code be implemented as a FastCGI script? If so, what are the directives to pass it the full response?

Preliminary trials

Presently user identification can't be conditional: when auth_basic is enabled in a location, users must identify themselves, even to access public pages. I can mitigate this by having a guest/guest user/password but I can't have a warning page before requesting credentials.

So, authentication is always required. Afterwards, an Authorization: Basic some_hash header is sent with the request. This hash needs to be captured when authentication occurs for future access to privilege properties of users.

How can I do it?

I am aware that in the present state, this specification offers no real security at all (vulnerable to replay attacks among others). I want to create a proof of concept before going further. Does my goal make sense?

Is there a simpler way to handle it? XSLT? (though the current user credentials must be fed into the patterns)


I think the only way to implement this is to use some front-end controller that checks the access logic requirements, and then sends the HTML files from disk.

You would not use any auth dirctives from nginx. The authentication process would be handled by the front-end controller.

The front-end controller can be implemented in several ways, for example Node.JS application, PHP, Ruby on Rails and Python.

Related

How to mock HashOperations of Spring StringRedisTemplate?
Is it possible to include a String from a Java file in a JSP? [duplicate]
Package (Python PIL/Pillow) installed but I can't import it
npm install with error: `gyp` failed with exit code: 1
How to avoid Limit Exceeded: Drive?
Azure DevOps Pipeline - YAML formatting error?
Creating a queue for the evaluateJavascript function on a WebView
Do I have to return something in javascript function?
why can't I use pillow when I have pillow? [duplicate]
The executing order gets incorrect in python threading, how to make it correct?
hasRole check doesnt work with th:replace
pytorch gradient / derivative / difference along axis like numpy.diff