Controlling Access on and off LAN

Francis Daly francis at
Sun Dec 8 13:50:43 UTC 2019

On Fri, Dec 06, 2019 at 10:14:12PM -1000, Rhys Ferris wrote:

Hi there,

> I'm hosting one server: which at serves a basic
> homepage and uses iframes to proxy several other services, which are
> defined in location blocks:
> I want to allow all IPs to access and the services proxied
> inside of it. However I want to restrict direct access to
> from outside my LAN.

Reading that, and reading the config, I'm afraid that I'm not sure what
you are trying to achieve.

Note that "iframe" and "proxy" are unrelated concepts; it is possible
that that might change the understanding of the requirement.

My first guess is that you want to allow anyone to access; and you want LAN-users to be able to access
prometheus:1234/service; and you want off-LAN users to not be able to
access prometheus:1234/service directly.

Is that it?

>  1. If there is a better way to achieve my goal, please tell me. I don't
>     have my heart set on this, its just all I could figure.

As above -- I'm not sure what the goal is, so I can't offer a suggestion.

>  2. How do I use the proxy_set_header X-Real-IP $remote_addr; to fake
>     the internal IP? or is that even the correct header to be using?

I suspect that that's also part of the goal; I'm unclear on what the aim
there is either.

Possibly your whole question is clear to others; in which case they will
be able to respond in due time.

But in case it's not, it may be helpful for others if you can describe
your goal in other words.


Francis Daly        francis at

More information about the nginx mailing list