All files from this thread

File Name	File Size		Posted by	Date
smime.p7s	4.3 KB	open | download	rhysers	12/07/2019	Read message
smime.p7s	4.3 KB	open | download	rhysers	12/08/2019	Read message

On 07/12/2019 08:14, Rhys Ferris wrote:
>
> Hello everyone,
>
> Hopefully this is a simple question with a simple answer.
>
>
> First my actual goal:
>
> I'm hosting one server: domain.net which at domain.net serves a basic
> homepage and uses iframes to proxy several other services, which are
> defined in location blocks: domain.net/service.
>
> I want to allow all IPs to access domain.net and the services proxied
> inside of it. However I want to restrict direct access to
> domain.net/service from outside my LAN.
>

Not 100% clear on your requirements, but I would approach it like this.

a) Mount the /service server on a new port - say 8080
b) Mount a dummy server on another port that always returns 404;

server dummy {
listen 9090;
location / {
return 404;
}
}

c) Firewall off the 8080 port at the LAN firewall, so it cannot be
reached from outside, only by proxy_pass from nginx.
d) In the Iframe, request /services from port 80 as usual.
e) Use map to map valid referer valued to 8080 and
invalid ones to the dummy port

map $http_referer $port {
default 9090
~*($http_referer) 8080;
}

f) Proxy_pass to the port

location /service/ {
# setup other proxied headers if needed
proxy_pass https://192.168.0.??:$port;
return 404;
}

Code untested. The other methods I though of used if, which is slow.

Note - some browsers may not send refer headers and will get 404s. If
this is a problem, set up advice on your 404 page. Faking referer is
easy but pointless here.

Regards

Ian
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx