The so called Meme-ACL (Access Control List) controls who gains access to a web service and concealing the deployment.
It does so by checking whether a cookie is set or by what IP address the request is sent.
map $remote_addr $cookie_skip {
default 0;
127.0.0.1 1;
::1 1;
}
server {
[...]
# Meme ACL
set $meme_access 0;
if ($http_cookie ~ 'SuPeRsEcReTpAsSpHrAsE') {
set $meme_access 1;
}
if ($cookie_skip = 1) {
set $meme_access 1;
}
if ($meme_access = 0) {
return 401;
}
}
The Meme-ACL is realised by a Nginx config, splitting up requests into the real web service (True or 1) and returning a 401 error (False or 0).
The first map
block lists which IP addresses the request may origin from to set $cookie_skip
for this $remote_addr
to True, thus setting $meme_access
to True.
The second server
block checks if a HTTP cookie with the value SuPeRsEcReTpAsSpHrAsE
is set and sets $meme_access
to True, thus also allowing access. It also checks if none of the parameters are set, thus False, and returns a 401 error.
Instead of a 401 error other disguise techniques are possible, e.g. a website with misleading content.
- Not-Even-An-ACL