0

I have a very simple setup. Three containers in docker that I want to communicate between, nothing else. Attacker (kali with nginx), reverse-proxy (alpine with nginx), and victim (alpine). I'd like to, inside victim, curl reverse-proxy and get attacker's website. So far I can get attacker's website directly by curl http://172.17.0.2:5555 and reverse-proxy's by curl http://172.17.0.3/ . But when I do curl http://172.17.0.3/merlin I get:

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>

For reverse-proxy (172.17.0.3) my /etc/nginx/conf.d/default.conf :

server {
    listen       80;
    listen  [::]:80;
    server_name  proxy;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    location /merlin {
        proxy_pass http://172.17.0.2:5555;
    }
    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

For attacker (172.17.0.2) my /etc/nginx/conf.d/default.conf :

server {
    listen       5555;
    listen  [::]:5555;
    server_name  localhost;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }


    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

Grant Collins on youtube has managed something similar, but I just can't get it to work.

Wolfff
  • 1
  • `http://172.17.0.3/merlin` is passed to `http://172.17.0.2:5555/merlin` which is presumably why you get the 404 response. – Richard Smith May 10 '22 at 08:14
  • It is?? I'm sorry I don't see that, should I write `proxy_pass` differently or is it something in attacker default.conf? – Wolfff May 10 '22 at 09:09
  • See [this Q&A](https://serverfault.com/questions/379675/nginx-reverse-proxy-url-rewrite) – Richard Smith May 10 '22 at 09:45
  • I get it now, thank you! I need to add a rewrite if I want it to go to `http://172.17.0.2:5555`. I did it like this `rewrite ^/merlin?$ / break;` but that didn't work, though I'm sure it's just me not understanding how to write rewrites yet. Thanks again! – Wolfff May 10 '22 at 09:56
  • Actually all it took was adding a `/` in location like this: `location /merlin { proxy_pass http://172.17.0.2:5555/; } ` Since that slash will "delete" the first part of uri(?) so it just becomes `http://172.17.0.2/` – Wolfff May 10 '22 at 10:04

1 Answers1

0

As Richard noticed http://172.17.0.3/merlin is passed to http://172.17.0.2:5555/merlin which didn't exist, hence the 404. What I needed to do was to use a rewrite to change that. In my case changing proxy_pass http://172.17.0.2:5555; to proxy_pass http://172.17.0.2:5555/; sufficed. (answer as to why - here).

Wolfff
  • 1