nginx_deny_host_headers

Nginx deny illegal host headers

My friend was ask me about preventing the IP address of Virtual Host from be accessed directly from web browser. The goals of this setup is deny the ilegal host headers that was sent by web browser. As an example, I’ve domain blog.pnyet.web.id with IP address 111.68.119.146 and I wanna reject all queries to 111.68.119.146 from web browser. Please see below for details:

if ($host !~* ^(yourdomain.com|www.yourdomain.com)$ ) {
return 444;
}

For an example setup in this blog:

server {
listen blog.pnyet.web.id:80;
server_name blog.pnyet.web.id www.blog.pnyet.web.id;
if ($host !~* ^(blog.pnyet.web.id|www.blog.pnyet.web.id)$ ) {
return 444;
}

Hope this help


How to php get the real ip address behind the proxy

Beberapa hari yang lalu saya iseng ingin mengutak atik script php di salah satu backend aplikasi karena setelah menggunakan front end nginx sebagai reverse proxy untuk beberapa backend aplikasi, IP yang terdeteksi adalah IP front end (IP Proxy) dan bukan real IP dari visitor. Setelah membaca manual php di php.net akhirnya saya menemukan parameter yang harus diubah agar script php mengenali real ip address dari visitor. Continue reading “How to php get the real ip address behind the proxy” »


error_fpm

PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp)

This article referring to another article that not published yet, I had some issue with session.save_path in php-fpm setup. For security improvements¬† I want to make PHP execute under individual user accounts insted of a system user like nginx (default www user and group). In apache environments I can use suPHP or suExec and in Nginx I can use php-fpm with custom “pool” each web server and that makes PHP scripts executed by owner and groups that describe in each pool. Continue reading “PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp)” »