Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Prevent backend ip leak with external images (nginx)
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Prevent backend ip leak with external images (nginx)

    Is it possible to prevent backend image leaking on nginx if someone for example uses

    < img src = " externalsite.com/image.png " />

    Does x-forwared-for leaks the backend ip in this case?

    Comments

    • cloudflare? otherwise reverse proxy

    • @webdev said:
      cloudflare? otherwise reverse proxy

      using cloudflare already, but it is leaking when user sets avatar for example on post request.

    • benj0xbenj0x Member
      edited February 13

      @TheWalkingZ said:

      @webdev said:
      cloudflare? otherwise reverse proxy

      using cloudflare already, but it is leaking when user sets avatar for example on post request.

      Change your forum code that it'll download the Image and save it on your service.
      This will only leak your webservers IP then.

      Edit: wait, you want to hide your backends IP?

      is annoyed of VirMach's Black Friday Flash Sale Page.

    • your domain is bind to cloudflare ip, as long as you don't use IP directly, how is it possible to leak backend IP...

    • marvelmarvel Member without signature
      edited February 13

      @webdev said:
      your domain is bind to cloudflare ip, as long as you don't use IP directly, how is it possible to leak backend IP...

      He's looking to prevent outside linking to his images, not the leaking of the IP (I think?)

      Perhaps this? https://serverfault.com/questions/907807/how-to-prevent-image-hotlinking-in-nginx

      I think you need the valid_referers option.

    • @webdev said:
      your domain is bind to cloudflare ip, as long as you don't use IP directly, how is it possible to leak backend IP...

      There was a php checker for mime type in the code i was using which was making a direct request from my server to check image size and file extension, hence ip leak :neutral:

      so i've remove it and added only regex expression to check if image has valid extensions

    • php running at server side, how does it leak ip to client?

    • benj0xbenj0x Member
      edited February 13

      @webdev said:
      php running at server side, how does it leak ip to client?

      Probably he fears that someone puts an IP Logger link into this checker and gets his backend IP then.

      is annoyed of VirMach's Black Friday Flash Sale Page.

    • @webdev said:
      php running at server side, how does it leak ip to client?

      The client hosts image on their server and gets into the access logs, so my server was querying his url to check if image has valid extension, he gets into access logs which ip was accessing image.

      Here's example i've tested and got real backend server ip in apache logs
      https://i.postimg.cc/NMsWhTyj/screenshot-53.png from my nginx server

    • I see, prevent leak ip to image server, do you need store image on your server? otherwise, what's the point of check external image, since they can change it any time later?

    • @webdev said:
      I see, prevent leak ip to image server, do you need store image on your server? otherwise, what's the point of check external image, since they can change it any time later?

      No need to store them and you are right, no point, really. Shitty coding that is.

    • jarjar Provider
      edited February 13

      You could route outbound traffic differently. Perhaps as simple as connecting to a VPN as a client.

    Sign In or Register to comment.