feat: allow access to forbidden location to specified user agents

sparkfabrik · Jun 18, 2024 · 56e52eb · 56e52eb
1 parent d410259
commit 56e52eb
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -104,6 +104,7 @@ The entrypoint file contains a list of environment variables that will be replac
 - `NGINX_CLIENT_MAX_BODY_SIZE`: the maximum allowed size for the client request body (default: `200M`)
 - `NGINX_CORS_ENABLED`: enable cors for `/` path and the caller origin header represented by `$http_origin` nginx variable (<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin>) (default: `0`)
 - `NGINX_CORS_DOMAINS`: a list of CORS enabled domains to activate cors just for the specified ones (no default provided)
+- `NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS`: a regexp (`startswith`) used to match the valid user agents that can call the forbidden locations (the response is empty, only a `return 200` is provided)
 
 ## Rootless feature
 

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -73,9 +73,17 @@ if [ -n "${NGINX_BASIC_AUTH_USER}" ] && [ -n "${NGINX_BASIC_AUTH_PASS}" ]; then
 fi
 
 # Activate the forbidden locations when the environment is not local
+NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS=${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS:-}
+export NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS
 if [ "${ENV:-}" != "loc" ]; then
   print "Activating the forbidden locations"
   cp /templates/fragments/005-forbidden-locations.conf /etc/nginx/conf.d/fragments/005-forbidden-locations.conf
+
+  if [ -n "${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS}" ]; then
+    envsubst '$NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS' < /templates/fragments/005-forbidden-locations-user-agents-fragment.conf.tpl > /templates/fragments/005-forbidden-locations-user-agents-fragment.conf
+    sed -e '/#forbidden-locations-allowed-user-agents/r /templates/fragments/005-forbidden-locations-user-agents-fragment.conf' -i /etc/nginx/conf.d/fragments/005-forbidden-locations.conf;
+  fi
+  sed -i '/#forbidden-locations-allowed-user-agents/d' /etc/nginx/conf.d/fragments/005-forbidden-locations.conf
 fi
 
 # Activate HSTS header (default: off)

diff --git a/templates/fragments/005-forbidden-locations-user-agents-fragment.conf.tpl b/templates/fragments/005-forbidden-locations-user-agents-fragment.conf.tpl
@@ -0,0 +1,3 @@
+  if ($http_user_agent ~ ^${NGINX_FORBIDDEN_LOCATIONS_ALLOWED_USER_AGENTS}) {
+    return 200;
+  }
diff --git a/templates/fragments/005-forbidden-locations.conf b/templates/fragments/005-forbidden-locations.conf
@@ -1,7 +1,9 @@
 location = /core/install.php {
+  #forbidden-locations-allowed-user-agents
   return 404;
 }
 
 location = /update.php {
+  #forbidden-locations-allowed-user-agents
   return 404;
 }