I have a webpage that would be served to a client, after which when they press on the page, it will send the request to an nginx reverse proxy, which would send it along to the correct RESTful API. The nginx and RESTful APIs are on another server.
How can I use ngnix to restrict only to the webpage, so that users cannot go directly to the API.
I've already set CORS but I was told that CORS can be bypassed (an example is Postman).
I have tried using (all on nginx config):
if ($host != domain.of.webpage) {
return 444;
}
Another method:
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name _;
return 444;
}
And another:
satisfy any;
allow xx.xx.xx.xx/xx;
allow xxxx:xxxx:xxxx:xxxx:xxxx/xx;
deny all;
All restricted access but also to the webpage itself. I know the last method wouldn't work as the client that accesses it will not be on the host so the IP addresses are moot.
Anything else I can try?
Answer was given by parzival in the comments of the question. I've reproduced it below.
It sounds like you are saying you have an API exposed on the public Internet, used by a web page on the public Internet, and you want to restrict access such that the API can only be used by scripts on that web page. Is that accurate? If so, there is nothing you can truly do to restrict access in this way. At most, you could rely on obfuscation techniques to make it more difficult.
— parzival Mar 29 '19 at 22:17