Controlling Access on and off LAN
Ian Hobson
hobson42 at gmail.com
Mon Dec 9 10:41:24 UTC 2019
On 07/12/2019 08:14, Rhys Ferris wrote:
>
> Hello everyone,
>
> Hopefully this is a simple question with a simple answer.
>
>
> First my actual goal:
>
> I'm hosting one server: domain.net which at domain.net serves a basic
> homepage and uses iframes to proxy several other services, which are
> defined in location blocks: domain.net/service.
>
> I want to allow all IPs to access domain.net and the services proxied
> inside of it. However I want to restrict direct access to
> domain.net/service from outside my LAN.
>
Not 100% clear on your requirements, but I would approach it like this.
a) Mount the /service server on a new port - say 8080
b) Mount a dummy server on another port that always returns 404;
server dummy {
listen 9090;
location / {
return 404;
}
}
c) Firewall off the 8080 port at the LAN firewall, so it cannot be
reached from outside, only by proxy_pass from nginx.
d) In the Iframe, request /services from port 80 as usual.
e) Use map to map valid referer valued to 8080 and
invalid ones to the dummy port
map $http_referer $port {
default 9090
~*($http_referer) 8080;
}
f) Proxy_pass to the port
location /service/ {
# setup other proxied headers if needed
proxy_pass https://192.168.0.??:$port;
return 404;
}
Code untested. The other methods I though of used if, which is slow.
Note - some browsers may not send refer headers and will get 404s. If
this is a problem, set up advice on your 404 page. Faking referer is
easy but pointless here.
Regards
Ian
More information about the nginx
mailing list