Hi,
I have two droplets.
The first droplet is my frontend and the second is my backend.
The first droplet use nginx as proxy reverse. So if client/browser access my site, the first droplet ccall the second droplet to retrieve data.
I want to restrict my backend(It use Docker and nginx) by using nginx but i have an issue because it blocks all ips.
This is my code:
allow XXX.XX.XXX // frontend droplet ;
deny all;

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi @dmm2019,

It seems you are on the right path to resolve this issue yourself. Having said that, you didn’t mentioned where you added the above rules.

To deny all access, except certain addresses, add a file named server.whitelist, with the following contents:

allow 1.2.3.4; # Allow a single remote host
deny all; # Deny everyone else

Regards,
KDSys

  • Hi @KDSys
    Thank you.
    I added the rules in backend droplet but i think that it cannot retrieve the source IP address.
    My code

    Frontend droplet nginx conf
    upstream web_site {
        server localhost:4000;
    }
    server {
        listen 80;
        server_name mydomain;
        location / {
            proxy_pass http://web_site;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header X-NginX-Proxy true;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
             proxy_redirect off;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
    
    Backend droplet nginx conf inside docker container
    
    upstream web_site {
      ip_hash;
      server web:8000;
    }
    
    server {
        listen 80;
        server_name api.mydomain.com;
        location / {
            satisfy any;
           allow frontend droplet ip;
            deny all;
            return 301 https://$host$request_uri;
        }
        location /.well-known/acme-challenge/ {
             root /var/www/certbot;
        }
    }
    
    server {
        listen 443 ssl;
        server_name api.mydomain.com;
    
    
        location / {
              satisfy any;
           allow frontend droplet ip;
            deny all;
            proxy_pass http://web_site/;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_redirect off;
        }
    
    
    }
    

    it blocks all ips.

    Thank you in advance

Submit an Answer