Controlling Access on and off LAN

Rhys Ferris rhys.j.ferris at
Sat Dec 7 08:14:12 UTC 2019

        Hello everyone,

Hopefully this is a simple question with a simple answer.

        First my actual goal:

I'm hosting one server: which at serves a basic
homepage and uses iframes to proxy several other services, which are
defined in location blocks:

I want to allow all IPs to access and the services proxied
inside of it. However I want to restrict direct access to from outside my LAN.

        What I've got so far:

I've set up my location blocks for my services to begin with:
allow 192.168.x.x/25;
deny all;
which very effectively blocks access from outside my LAN. However it
still blocks the services when proxied from within, I think
because I am using "proxy_set_header X-Real-IP $remote_addr;" so the
proxied request is arriving at the location block with an external IP. I
looked but could not find documentation on the proxy_set_header
X-Real-IP statement (I even ventured to page 2 of google :-P) to try to
get it to proxy the request as if my server running nginx had made the

        What I would like from y'all:

 1. If there is a better way to achieve my goal, please tell me. I don't
    have my heart set on this, its just all I could figure.
 2. How do I use the proxy_set_header X-Real-IP $remote_addr; to fake
    the internal IP? or is that even the correct header to be using?

Thanks very much for your time,
Rhys Ferris

          Sample location block:

        location /service/ {
            deny all;
            proxy_pass http://prometheus:1234/service/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Sent from Thunderbird on Ubuntu 19.10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4452 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the nginx mailing list