postgrest-docs icon indicating copy to clipboard operation
postgrest-docs copied to clipboard
verified publisher icon PostgREST

[HOWTO hardening] Replace error messages in nginx

Open ghost opened this issue 5 years ago • 2 comments

The authentication defaults to the anon role, eg if the JWT fails to auth. The result returned from the proxy is far to verbose

{"hint":null,"details":null,"code":"22023","message":"role "DB_ANON_ROLE_NOT_ALLOWED" does not exist"}

ghost avatar May 28 '20 12:05 ghost

Solve by add proxy_intercept_errors on; to the configuration, full include'able nginx.conf snippet.:

###
server {
    listen 0.0.0.0:443 default_server ssl;
    listen [::]:443 default_server ssl;
    server_name  foo_bar;
    # CERTIFICATE
    ssl_certificate /etc/ssl/certs/snakeoil.crt;
    ssl_certificate_key /etc/ssl/private/snakeoil.key;
    # HEADERS
    add_header X-Frame-Options DENY; # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
    add_header X-Content-Type-Options nosniff; # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
    add_header X-XSS-Protection "1; mode=block"; # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
    if ($request_method !~ ^(GET|POST|PATCH|PUT|DELETE)$ ) { return 405; }
    root /usr/share/nginx;
    error_page 400 /generic_error.html; 
    location = /generic_error.html {
        internal;
        root /usr/share/nginx/templates;
    }
    location / {
        return 404;
    }
    location /api/ {
        if ($http_authorization = "") { return 405; } # throw out req with missing auth headers
        proxy_pass http://postgrest_api/;
        proxy_intercept_errors on;
        proxy_http_version  1.1;
        proxy_set_header    Host $host;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    Connection "";
        proxy_set_header    Content-Location $upstream_http_content_location; # rewrite
        proxy_hide_header Content-Location;
        add_header Content-Location  /api$upstream_http_content_location;
        default_type        application/json;
    }
}
upstream postgrest_api {
    server localhost:3001;
}

The result eats all error bodys bubbled up from upstream and replaces them with nginx pages. To customize nginx errorpage use error_pages directive.

ghost avatar May 28 '20 12:05 ghost

@hivemall Thanks! I'm leaving your how-to in the docs.

steve-chavez avatar May 28 '20 18:05 steve-chavez

The result returned from the proxy is far to verbose

This is very subjective. We return exactly the errors we want to return, I guess.

wolfgangwalther avatar Feb 18 '24 13:02 wolfgangwalther