Welcome! Log In Create A New Profile

Controlling Access on and off LAN

All files from this thread

File Name	File Size		Posted by	Date
smime.p7s	4.3 KB	open \| download	rhysers	12/07/2019	Read message
smime.p7s	4.3 KB	open \| download	rhysers	12/08/2019	Read message

Previous Message Next Message

Forum List Message List New Topic Print View

rhysers

December 07, 2019 03:16AM

Registered: 4 years ago
Posts: 4

Hello everyone,

Hopefully this is a simple question with a simple answer.

First my actual goal:

I'm hosting one server: domain.net which at domain.net serves a basic
homepage and uses iframes to proxy several other services, which are
defined in location blocks: domain.net/service.

I want to allow all IPs to access domain.net and the services proxied
inside of it. However I want to restrict direct access to
domain.net/service from outside my LAN.

What I've got so far:

I've set up my location blocks for my services to begin with:
allow 192.168.x.x/25;
deny all;
which very effectively blocks access from outside my LAN. However it
still blocks the services when proxied from within domain.net, I think
because I am using "proxy_set_header X-Real-IP $remote_addr;" so the
proxied request is arriving at the location block with an external IP. I
looked but could not find documentation on the proxy_set_header
X-Real-IP statement (I even ventured to page 2 of google :-P) to try to
get it to proxy the request as if my server running nginx had made the
request.

What I would like from y'all:

1. If there is a better way to achieve my goal, please tell me. I don't
have my heart set on this, its just all I could figure.
2. How do I use the proxy_set_header X-Real-IP $remote_addr; to fake
the internal IP? or is that even the correct header to be using?

Thanks very much for your time,
Rhys Ferris

Sample location block:

        location /service/ {
            allow 192.168.136.128/25;
            deny all;
            proxy_pass http://prometheus:1234/service/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

--
Sent from Thunderbird on Ubuntu 19.10

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

Attachments:
open | download - smime.p7s (4.3 KB)

RSS

Subject	Author	Posted
'Lost' the default config location	chewiesw	December 03, 2019 05:28AM
Re: 'Lost' the default config location	Francis Daly	December 04, 2019 07:08AM
Controlling Access on and off LAN	rhysers	December 07, 2019 03:16AM
Re: Controlling Access on and off LAN	Francis Daly	December 08, 2019 08:52AM
Re: Controlling Access on and off LAN	rhysers	December 08, 2019 07:32PM
Re: Controlling Access on and off LAN	Francis Daly	December 10, 2019 07:34AM
Re: Controlling Access on and off LAN	Ian Hobson	December 09, 2019 05:42AM