How to hide restricted nginx subdomains?

Question

To hide a restricted location, e.g.

location /secret/ {
 allow 10.0.0.0/24;
 deny all;
}

one could set

error_page 403 =404 /404.html;
error_page 404 /404.html;

to make impossible to distinguish a non-existing location (404) from a restricted one (403).

Is there a way to perform a similar spoof for subdomains?

I want https://admin.example.org/, which normally returns 403 if not visited via VPN, to show the same of https://nonexistingsubdomain.example.org/, e.g. a .html page with a redirect to https://example.org/.

score 0 · Answer 1 · answered Feb 23 '22 at 20:35

0

Usually the subdomain is a different DNS record and points to a IP address(server). In your case you can create a virtual host which will handle all requests to https://admin.example.com for ex. and setup permissions there.

Take a look at this article: https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04

answered Feb 23 '22 at 20:35

Zhivko Zhelev

71
4

All subdomains already point to the same host in my case, so there is no way to tell which one are active by just performing a DNS query. However if one guesses https://admin.example.com/ he sees 403 and he understand that the subdomain is actually used. – Polizi8 Feb 23 '22 at 22:23
I mean to create a new virtual host for admin.example.com and after that with htaccess file you can setup rules to access and what to if user is not authorized. – Zhivko Zhelev Feb 23 '22 at 23:19

How to hide restricted nginx subdomains?

1 Answers1