I have an Ubuntu server running Flask app under nginx, this is my conf:

upstream flaskapp {
  server fail_timeout=0;

server {
  listen 80;
  server_name _;
  location / {
    add_header "Access-Control-Allow-Origin" "http://localhost, https://website";
    try_files $uri @proxy_to_app;

  location @proxy_to_app {
    proxy_pass http://flaskapp;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;

server {
  listen 443;

  ssl on;
  ssl_certificate      /etc/letsencrypt/live/server/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/server/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  location / {
    add_header "Access-Control-Allow-Origin" "http://localhost, https://website";
    try_files $uri @proxy_to_app;

  location @proxy_to_app {
    proxy_pass http://flaskapp;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_redirect off;

There might be a lot of redundant code, since I compiled it from many sources but it works as intended.
Also I observe a lot incoming requests from all types of botnets checking my routes like this:, - - [20/Jul/2020 14:41:20] "GET /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php HTTP/1.1" 404 356 0.000558
(1805) accepted ('', 34590), - - [20/Jul/2020 14:41:22] "GET /sqladmin/index.php HTTP/1.1" 404 356 0.000541
(1805) accepted ('', 34592), - - [20/Jul/2020 14:41:22] "GET /sql/index.php HTTP/1.1" 404 356 0.000506
(1805) accepted ('', 34594), - - [20/Jul/2020 14:41:23] "GET /SQL/index.php HTTP/1.1" 404 356 0.000543
(1805) accepted ('', 34596), - - [20/Jul/2020 14:41:23] "GET /websql/index.php HTTP/1.1" 404 356 0.000570
(1805) accepted ('', 34598), - - [20/Jul/2020 14:41:23] "GET /MySQLAdmin/index.php HTTP/1.1" 404 356 0.000566
(1805) accepted ('', 34600), - - [20/Jul/2020 14:41:24] "GET /manager/html HTTP/1.1" 404 356 0.000642
(1805) accepted ('', 34602), - - [20/Jul/2020 14:41:24] "POST /axis2/axis2-admin/login HTTP/1.1" 404 356 0.000606
(1805) accepted ('', 34610), - - [20/Jul/2020 14:43:12] "GET / HTTP/1.1" 404 356 0.000507

And this is my own request which is processed correctly:, - - [20/Jul/2020 20:49:33] "GET /socket.io/?client=KbDHcPsvwELKRJCCFKleAA6HLy&EIO=3&transport=polling&t=NDj_I0I HTTP/1.1" 200 437 0.001434
(1805) accepted ('', 35076)

I would like to deny all incoming POST and GET requests except for /socket.io/ with client/transport args (plus SSH on 22 to that machine of course).
This is my try which doesn't work (possibly I need some nested location construction):

location = /socket.io/ {
  limit_except GET {
    deny all;

How can I deny everything except GET requests to a specified location with args?

  • 101
  • Do you mean that the only valid URL path on this `server` is `/socket.io/` ? – Michael Hampton Jul 21 '20 at 15:10
  • @MichaelHampton Yes, I plan to communicate with this Flask app via websockets only. Also to add some basic auth I plan to use client/transport arguments. – Igniter Jul 21 '20 at 15:25

0 Answers0