Search code examples
nginxnginx-reverse-proxyopensearch-dashboards

NGINX - using a web app's port number bypasses my NGINX config


I am running an 'Opensearch Dashboards' server (it's a free fork of Kibana). Opensearch Dashboards runs on port 5601 ('https://myopensearchserver:5601').

I have the below NGINX config that allows me to access the application via 'https://myopensearchserver' and it does a proxy_pass to 'https://myopensearchserver:5601'.

This all works correctly and it has the added benefit that it hides the port number in the browser from the user, just makes it look tidier:

server { 
  listen 443 ssl; 
  server_name localhost; 
  ssl_certificate mycert.pem; 
  ssl_certificate_key mycert.key; 
  ssl_client_certificate ca.pem; 

  location / { 
    proxy_pass https://myopensearchserver:5601/; 
  } 
} 

The problem is that the user could still access 'https://myopensearchserver:5601' in the browser and it completely bypasses my NGINX config. Which is an issue because I plan to build more security controls into my NGINX config.

So I either want to stop the user accessing the application directly via 'https://myopensearchserver:5601', or to somehow redirect it so that it does go via my NGINX config.

How would I do this?


Solution

  • I don't know if this is a reasonable solution or not. But I ended up creating two firewall rules on the nginx/application host, one that denies incoming connections to port 5601 and another that allows connections to port 5602 from the localhost. And this has achieved the desired result, if a user enters the application url without the port into the browser, it is processed by nginx on the localhost and is forwarded to port 5601 and it works correctly. But if a user enters the application url with the port included, then it gets blocked by the firewall.

    Edit - actually the easiest and best solution is to simply not open port 5601 on the Kibana/nginx host to begin with. If you don't open it then it isn't accessible externally but can still be redirected to by nginx.