Score:0

nginx remove all query parameters and add a new one to a react application

is flag

I want to discard all the query parameters and add a new one (for instance DN=$ssl_client_s_dn). The reason is to prevent the client from sending this query parameter.

Replacing the value of the query parameter "DN", is also a valid solution for me.

My configuration file is

server {
  listen 9999 ssl default_server;
  listen [::]:9999 ssl default_server;

   ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

   ssl_certificate        /keystores/mycert.crt.pem;         ## 
   ssl_certificate_key    /keystores/mycert.key.pem;         ## 
   ssl_client_certificate /keystores/.npm.certs.pem;         ## CA Bundle
   ssl_verify_client on;

   root /home/edu/my-react-app;

   index index.html;

   server_name _;

   location / {
     try_files $uri $uri/ /index.html =404;
   }

   location = /login {
     if ($arg_DN = "") {
       rewrite ^ /login?DN=$ssl_client_s_dn redirect;
     }
     try_files /index.html =404;
   }
 }  

I want to use the "DN" query parameter as a login system. But the client can fool me by sending a false DN belonging to a user with higher privileges!

Any idea?

Score:0
us flag

If you want to always use $ssl_client_s_dn as the argument, then use:

location = /login {
    rewrite ^ /login?DN=$ssl_client_s_dn last;
}

Your current solution only applies this when there is no DN argument.

However, what makes you think a client cannot impersonate the DN field?

Ximo Dante avatar
is flag
Sorry if I haven't explained the question well. I agree with you that my problem is that the client can impersonate the DN field and get administrator's privileges, but I don't know how to solve the problem. If I use the "last" flag the URL is not changed externally, See my last question https://serverfault.com/questions/1112066/nginx-append-query-parameter-to-a-react-application
us flag
You need to configure proper client TLS certificate authentication or use a separate authentication mechanism like username / password.
Ximo Dante avatar
is flag
Thanks, but I am a beginner and I don't know to configure the proper TSL client authentication. A client can have a valid certificate and in addition, send a false DN to the application. I have tried to use njs but I have gotten stuck. I cannot find easy examples and turorials.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.