Question

How to restrict ip in Nginx?

Posted January 11, 2020 557 views
NginxDocker

Hi,
I have two droplets.
The first droplet is my frontend and the second is my backend.
The first droplet use nginx as proxy reverse. So if client/browser access my site, the first droplet ccall the second droplet to retrieve data.
I want to restrict my backend(It use Docker and nginx) by using nginx but i have an issue because it blocks all ips.
This is my code:
allow XXX.XX.XXX // frontend droplet ;
deny all;

Add a comment
dmm2019
By:
dmm2019
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
KDSys January 12, 2020

Hi @dmm2019,

It seems you are on the right path to resolve this issue yourself. Having said that, you didn’t mentioned where you added the above rules.

To deny all access, except certain addresses, add a file named server.whitelist, with the following contents:

allow 1.2.3.4; # Allow a single remote host
deny all; # Deny everyone else

Regards,
KDSys

Reply Report
  • dmm2019 January 12, 2020

    Hi @KDSys
    Thank you.
    I added the rules in backend droplet but i think that it cannot retrieve the source IP address.
    My code

    Frontend droplet nginx conf
upstream web_site {
    server localhost:4000;
}
server {
    listen 80;
    server_name mydomain;
    location / {
        proxy_pass http://web_site;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
         proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

    Backend droplet nginx conf inside docker container

upstream web_site {
  ip_hash;
  server web:8000;
}

server {
    listen 80;
    server_name api.mydomain.com;
    location / {
        satisfy any;
       allow frontend droplet ip;
        deny all;
        return 301 https://$host$request_uri;
    }
    location /.well-known/acme-challenge/ {
         root /var/www/certbot;
    }
}

server {
    listen 443 ssl;
    server_name api.mydomain.com;


    location / {
          satisfy any;
       allow frontend droplet ip;
        deny all;
        proxy_pass http://web_site/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }


}

    it blocks all ips.

    Thank you in advance

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help