Controlling Access on and off LAN

Rhys Ferris rhys.j.ferris at gmail.com
Sat Dec 7 08:14:12 UTC 2019 

        Hello everyone,

Hopefully this is a simple question with a simple answer.


        First my actual goal:

I'm hosting one server: domain.net which at domain.net serves a basic
homepage and uses iframes to proxy several other services, which are
defined in location blocks: domain.net/service.

I want to allow all IPs to access domain.net and the services proxied
inside of it. However I want to restrict direct access to
domain.net/service from outside my LAN.


        What I've got so far:

I've set up my location blocks for my services to begin with:
allow 192.168.x.x/25;
deny all;
which very effectively blocks access from outside my LAN. However it
still blocks the services when proxied from within domain.net, I think
because I am using "proxy_set_header X-Real-IP $remote_addr;" so the
proxied request is arriving at the location block with an external IP. I
looked but could not find documentation on the proxy_set_header
X-Real-IP statement (I even ventured to page 2 of google :-P) to try to
get it to proxy the request as if my server running nginx had made the
request.


        What I would like from y'all:

 1. If there is a better way to achieve my goal, please tell me. I don't
    have my heart set on this, its just all I could figure.
 2. How do I use the proxy_set_header X-Real-IP $remote_addr; to fake
    the internal IP? or is that even the correct header to be using?

Thanks very much for your time,
Rhys Ferris


          Sample location block:

        location /service/ {
            allow 192.168.136.128/25;
            deny all;
            proxy_pass http://prometheus:1234/service/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

-- 
Sent from Thunderbird on Ubuntu 19.10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20191206/fe5e3ae4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4452 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20191206/fe5e3ae4/attachment.bin>

More information about the nginx mailing list