-1

I want to accept/deny requests depending on Http request custom headers. Is there any option available in both IIS and NGINX?

I think IIS has but NGINX??????

Muqadar Ali
  • 87
  • 11
  • For IIS you should be able to use URL Rewrite module. NGINX does have something similar, https://www.nginx.com/blog/creating-nginx-rewrite-rules/ – Lex Li Apr 29 '20 at 19:31
  • I think rewriting is different than request header filtering. @LexLi – Muqadar Ali Apr 29 '20 at 19:33
  • No. You can use URL Rewrite module to replace request filtering most of the time. – Lex Li Apr 29 '20 at 20:05
  • @LexLi How would I achieve my question using rewrite? I need to check if customHeader1 = xyz then accept otherwise deny request? – Muqadar Ali Apr 29 '20 at 20:16
  • For IIS, it is rather simple to return a custom response from your rules, https://stackoverflow.com/questions/42114236/in-iis-rewrite-rules-is-it-possible-to-return-a-customresponse-statuscode-with To check custom header of the request, add a condition. On NGINX, the same can be easily achieved via return directive. – Lex Li Apr 29 '20 at 20:18
  • @LexLi above url applies regex on url. This does not answer my question. I need to look into request header (NOT URL) and then deny/accept request. – Muqadar Ali Apr 29 '20 at 20:20
  • "To check custom header of the request, add a condition." – Lex Li Apr 29 '20 at 20:21

1 Answers1

0

URL rewrite inbound rule can deny request based on request header. For example, if your custom request header is AuthHeader. Then you only need to add a condition pattern for{HTTP_AuthHeader}.

The sample deny rule would looks like this.

<rule name="deny rule" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTP_AuthHeader}" pattern="jokies" />
                    </conditions>
                    <action type="AbortRequest" />
                </rule>

As you can see, IIS return 504 when the request header AuthHeader=jokies. enter image description here

IIS return 200 if the AuthHeader doesn't match jokies

enter image description here

Of course, you can develop and inject your custom httpmodule to customize the request header filter.

Jokies Ding
  • 3,374
  • 1
  • 5
  • 10
  • great, but can you tell me how can I achieve same in NGINX? – Muqadar Ali Apr 30 '20 at 08:26
  • I think its almost the same.https://stackoverflow.com/questions/26223733/how-to-make-nginx-redirect-based-on-the-value-of-a-header. identify the request HTTP_custom header, then return 401 status. – Jokies Ding Apr 30 '20 at 08:57