Welcome! Log In Create A New Profile

Deny IP blocks with exceptions - help with configs

Forum List Message List New Topic Print View

svieweng

August 10, 2010 12:09PM

Registered: 13 years ago
Posts: 1

Hi,

I am trying to solve an issue, and I think NGINX is the right solution as we already use it as our frontend proxy.

The problem is this: we have several domains that are pointed to the same thing. We need to block/deny a group of subnets. There is an exception to this: if the client comes in pointing at a specific domain, then we should pass him/her even if the originating IP block is normally denied.

First, lets call this domain.com, and lets add a.domain.com, b.domain.com, and c.domain.com.
a.domain.com should accept all clients from any IP range.
{b|c}.domain.com, *.domain.com, 86.75.3.09, and other.someone-elses-domain.net should pass everything except the netblocks listed in the include file "blockips.conf"

What is currently happening, is that using the below config template, all traffic is flowing to all domains, regardless of originating netbock. I have tried various orders, and different configs entirely. And the result is the same for different reasons - either it blocks everything, the config is bad and wont load, or it passes everything. Any help on this is greatly appreciated.

This is what I did (names changed to protect the innocent):

I created a file called /etc/nginx/blockips.conf

#----BEGIN blockips.conf

deny 1.1.0.0/16;
deny 2.2.0.0/16;
deny 3.3.0.0/16;
deny 4.4.0.0/16;

#----END blockips.conf

#----BEGIN nginx.conf

upstream prod-a {

server 10.1.1.10;
}

upstream prod-b {
ip_hash;
server 10.1.1.10;
}

server {

large_client_header_buffers 4 16k;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
proxy_intercept_errors on;
proxy_buffering on;
proxy_temp_path /my/nginx/temp;

listen 80;
server_name a.domain.com;

location / {
proxy_pass http://prod-a;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

}
}

server {

large_client_header_buffers 4 16k;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
proxy_intercept_errors on;
proxy_buffering on;
proxy_temp_path /my/nginx/temp;

listen 80;
server_name b.domain.com.com c.domain.com.com *.domain.com 86.75.3.09 other.someone-elses-domain.net ;

location / {
include blockips.conf;
proxy_pass http://prod-b;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

}
}

#----END nginx.conf

Reply Quote

RSS

Subject	Author	Posted
Deny IP blocks with exceptions - help with configs	svieweng	August 10, 2010 12:09PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 214

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018