Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Prevent backend ip leak with external images (nginx)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Prevent backend ip leak with external images (nginx)

Is it possible to prevent backend image leaking on nginx if someone for example uses

< img src = " externalsite.com/image.png " />

Does x-forwared-for leaks the backend ip in this case?

Comments

  • cloudflare? otherwise reverse proxy

  • @webdev said:
    cloudflare? otherwise reverse proxy

    using cloudflare already, but it is leaking when user sets avatar for example on post request.

  • benj0xbenj0x Member
    edited February 2020

    @TheWalkingZ said:

    @webdev said:
    cloudflare? otherwise reverse proxy

    using cloudflare already, but it is leaking when user sets avatar for example on post request.

    Change your forum code that it'll download the Image and save it on your service.
    This will only leak your webservers IP then.

    Edit: wait, you want to hide your backends IP?

  • your domain is bind to cloudflare ip, as long as you don't use IP directly, how is it possible to leak backend IP...

  • marvelmarvel Member
    edited February 2020

    @webdev said:
    your domain is bind to cloudflare ip, as long as you don't use IP directly, how is it possible to leak backend IP...

    He's looking to prevent outside linking to his images, not the leaking of the IP (I think?)

    Perhaps this? https://serverfault.com/questions/907807/how-to-prevent-image-hotlinking-in-nginx

    I think you need the valid_referers option.

  • @webdev said:
    your domain is bind to cloudflare ip, as long as you don't use IP directly, how is it possible to leak backend IP...

    There was a php checker for mime type in the code i was using which was making a direct request from my server to check image size and file extension, hence ip leak :neutral:

    so i've remove it and added only regex expression to check if image has valid extensions

  • php running at server side, how does it leak ip to client?

  • benj0xbenj0x Member
    edited February 2020

    @webdev said:
    php running at server side, how does it leak ip to client?

    Probably he fears that someone puts an IP Logger link into this checker and gets his backend IP then.

  • @webdev said:
    php running at server side, how does it leak ip to client?

    The client hosts image on their server and gets into the access logs, so my server was querying his url to check if image has valid extension, he gets into access logs which ip was accessing image.

    Here's example i've tested and got real backend server ip in apache logs
    https://i.postimg.cc/NMsWhTyj/screenshot-53.png from my nginx server

  • I see, prevent leak ip to image server, do you need store image on your server? otherwise, what's the point of check external image, since they can change it any time later?

  • @webdev said:
    I see, prevent leak ip to image server, do you need store image on your server? otherwise, what's the point of check external image, since they can change it any time later?

    No need to store them and you are right, no point, really. Shitty coding that is.

  • jarjar Patron Provider, Top Host, Veteran
    edited February 2020

    You could route outbound traffic differently. Perhaps as simple as connecting to a VPN as a client.

Sign In or Register to comment.