Controlling Access on and off LAN

Ian Hobson hobson42 at gmail.com
Mon Dec 9 10:41:24 UTC 2019


On 07/12/2019 08:14, Rhys Ferris wrote:
 >
 >         Hello everyone,
 >
 > Hopefully this is a simple question with a simple answer.
 >
 >
 >         First my actual goal:
 >
 > I'm hosting one server: domain.net which at domain.net serves a basic
 > homepage and uses iframes to proxy several other services, which are
 > defined in location blocks: domain.net/service.
 >
 > I want to allow all IPs to access domain.net and the services proxied
 > inside of it. However I want to restrict direct access to
 > domain.net/service from outside my LAN.
 >

Not 100% clear on your requirements, but I would approach it like this.

a) Mount the /service server on a new port - say 8080
b) Mount a dummy server on another port that always returns 404;

   server dummy {
      listen 9090;
      location / {
	return 404;
      }
   }

c) Firewall off the 8080 port at the LAN firewall, so it cannot be 
reached from outside, only by proxy_pass from nginx.
d) In the Iframe, request /services from port 80 as usual.
e) Use map to map valid referer valued to 8080 and
invalid ones to the dummy port

map $http_referer $port {
    default 9090
    ~*($http_referer) 8080;
}

f) Proxy_pass to the port

location /service/ {
         # setup other proxied headers if needed
         proxy_pass https://192.168.0.??:$port;
         return 404;
     }

Code untested. The other methods I though of used if, which is slow.

Note - some browsers may not send refer headers and will get 404s. If 
this is a problem, set up advice on your 404 page.  Faking referer is 
easy but pointless here.

Regards

Ian


More information about the nginx mailing list