{"id":25809,"date":"2015-09-02T21:13:43","date_gmt":"2015-09-02T15:43:43","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=25809"},"modified":"2015-09-10T13:41:02","modified_gmt":"2015-09-10T08:11:02","slug":"selective-blocking-of-curl-and-wget","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/selective-blocking-of-curl-and-wget\/","title":{"rendered":"Selective blocking of curl and wget"},"content":{"rendered":"

Wget is a pretty handy tool that lets users download files from any HTTP\/HTTPS or FTP server. Curl, on the other hand is an amazing tool that helps you build a new request with plethora of protocols such as \u00a0HTTP, HTTPS, FTP, Telnet, SMTP etc. These tools can be used to test protocols or your server configurations, but at the same time they can also be misused by a malicious attacker to exploit any website.<\/p>\n

In order to thwart these malicious attacks, we need to put specific measures in place. \u00a0One such measure is to block all requests from wget and curl. However, there are specific use cases where you require that external\u00a0users can’t use these tools but specific IPs or servers can.<\/p>\n

So the question is how can we achieve this functionality with Nginx?<\/p>\n

One simple way is to block all requests from wget and curl using the sample code given below.<\/p>\n

### Block wget user agent ###\r\nif ($http_user_agent ~* (wget|curl) ) {\r\n   return 403;\r\n}<\/pre>\n
This code block will disallow all requests coming from wget or curl.<\/p>\n
In our deployment scenarios, we have some specific servers, which access our website with these tools. Hence, we need a custom solution, where we can\u00a0restrict curl or wget requests from outside network but not from specific servers or IP addresses.<\/p>\n
One simple way of achieving this functionality is using Nginx modules. For our solution, we will be using Map and Geo module and some internal variables defined in them.<\/p>\n
1. Map module<\/strong> is used to set or create variables depending on the value of source variables.<\/p>\n
For example:<\/p>\n
[js]<\/p>\n
map $http_user_agent $disallow {
\n\tdefault 0;
\n\t~*(curl|wget) 1;
\n}<\/p>\n
[\/js]<\/p>\n
In the code shown above, we have\u00a0created a variable named disallow <\/strong> whose value will depend upon the http_user_agent<\/strong> source variable. Now if the user agent is curl or wget, then disallow<\/strong> variable will take value 1 else it will remain\u00a00, which is the default value.
\nReference: ngx_http_map_module
\n<\/a><\/p>\n
2. Geo module<\/strong> is used to set the value of variable depending on the value of client IP address.<\/p>\n
For example:<\/p>\n
[js]<\/p>\n
geo $myserver {
\n\tdefault 1;
\n\tx.x.x.x 0;
\n}
\n[\/js]<\/p>\n
Here, we have declared a variable myserver,<\/strong> whose value depends upon the IP address (x.x.x.x) mentioned in the block. If the value of \u00a0IP address is x.x.x.x then myserver<\/strong> value will be 0 else it will remain 1, which is the default value.
\nReference: ngx_http_geo_module<\/a><\/p>\n
Now, based on the value of disallow and myserver variable, we will be able to reject requests coming from unknown IPs with a 403.<\/p>\n
We can define\u00a0these two modules in nginx.conf<\/strong> file under http block<\/strong> as shown below.<\/p>\n
[js]<\/p>\n
http {<\/p>\n
\tgeo $myserver{
\n\t\tdefault 1;
\n\t\tx.x.x.x 0;
\n\t\ty.y.y.y 0;
\n\t}<\/p>\n
\tmap $http_user_agent $disallow{
\n\t\tdefault 0;
\n\t\t~*(curl|wget) $myserver;
\n\t}<\/p>\n
}<\/p>\n
[\/js]<\/p>\n
The specific IPs (x.x.x.x and y.y.y.y) from which we want to allow wget and curl are defined in geo block of code. These IPs will set the value of the variable myserver<\/strong> to 0. Based on myserver value, the variable disallow<\/strong> in map block will be set. \u00a0In the example shown above, curl or wget user agents used by whitelisted IPs ( x.x.x.x\/y.y.y.y) will set the disallow<\/strong> variable value to 0.<\/p>\n
Now, the decision to accept or reject the curl\/wget request is based upon the value of disallow variable. This can be defined in the virtual host file of the nginx.<\/p>\n
Sample Code<\/strong><\/p>\n
[js]<\/p>\n
server {<\/p>\n
\tlocation \/ {<\/p>\n
\t\tif($disallow) {
\n\t\t\treturn 403;
\n\t\t}
\n\t}
\n}<\/p>\n
[\/js]<\/p>\n
For whitelisted IPs, this code will be bypassed and for any other external users 403 error will be given as a result.<\/p>\n","protected":false},"excerpt":{"rendered":"
Wget is a pretty handy tool that lets users download files from any HTTP\/HTTPS or FTP server. Curl, on the other hand is an amazing tool that helps you build a new request with plethora of protocols such as \u00a0HTTP, HTTPS, FTP, Telnet, SMTP etc. These tools can be used to test protocols or your […]<\/p>\n","protected":false},"author":204,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":45},"categories":[1174,1],"tags":[814,2302,2307,2308,2305,2306,2303,2304,2301],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/25809"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/204"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=25809"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/25809\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=25809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=25809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=25809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}