Hi,
I have two droplets.
The first droplet is my frontend and the second is my backend.
The first droplet use nginx as proxy reverse. So if client/browser access my site, the first droplet ccall the second droplet to retrieve data.
I want to restrict my backend(It use Docker and nginx) by using nginx but i have an issue because it blocks all ips.
This is my code:
allow XXX.XX.XXX // frontend droplet ;
deny all;
Hi @dmm2019,
It seems you are on the right path to resolve this issue yourself. Having said that, you didn’t mentioned where you added the above rules.
To deny all access, except certain addresses, add a file named server.whitelist, with the following contents:
allow 1.2.3.4; # Allow a single remote host
deny all; # Deny everyone else
Regards,
KDSys
Hi @KDSys
Thank you.
I added the rules in backend droplet but i think that it cannot retrieve the source IP address.
My code
Frontend droplet nginx conf
upstream web_site {
server localhost:4000;
}
server {
listen 80;
server_name mydomain;
location / {
proxy_pass http://web_site;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Backend droplet nginx conf inside docker container
upstream web_site {
ip_hash;
server web:8000;
}
server {
listen 80;
server_name api.mydomain.com;
location / {
satisfy any;
allow frontend droplet ip;
deny all;
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
}
server {
listen 443 ssl;
server_name api.mydomain.com;
location / {
satisfy any;
allow frontend droplet ip;
deny all;
proxy_pass http://web_site/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
}
}
it blocks all ips.
Thank you in advance