Home > Mobile >  Using nginx reverse proxy, how do you BLOCK all request except if request comes from my application
Using nginx reverse proxy, how do you BLOCK all request except if request comes from my application

Time:04-25

I'm actually new to nginx. I was trying to create a reverse proxy using nginx for my rest api.

Here's my setup:

I have a server, for the benefit of labelling, we shall call as myserver with domain name myserver.com.

Now, my Backend REST API (which is written in Django) resides in myserver, which is run via docker (internally, backend-api:8000). I created a reverse proxy that interfaces with this backend server and I created a subdomain for this (subdomain.myserver.com) that actually just points to backend-api:8000.

Now, I also have a frontend app (written in PHP) which actually is also deployed in the same server (myserver) and is also hosted via docker. I then have a separate domain name for this (say, frontend.com) that just points to the directory of the frontend PHP files in myserver.

Now, I am looking for a way to block all other requests except if it comes from my application only (from frontend.com). I tried adding the if ($host != "frontend.com") {return 404} but when I tested it, my frontend.com receives a 404 message when I try to connect to the backend. I also tried using allow directive, but still no avail.

Here is my default.conf

server {
    listen 80;

    
    allow 127.0.0.1;
    deny all;
    
    location /static {
        alias /vol/static;
    }

    location / {
        uwsgi_pass backend-api:8000;
        include /etc/nginx/uwsgi_params;
    }

    add_header Strict-Transport-Security max-age=31536000 always;

    gzip on;
    gzip_comp_level 2;
    gzip_min_length 1024;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types application/x-javascript application/javascript application/xml application/json text/xml text/css text;

    client_max_body_size 10M;

    client_body_timeout 12;
    client_header_timeout 12;
    reset_timedout_connection on;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;

    expires 1y;
    access_log off;
    log_not_found off;

}

CodePudding user response:

The typical way is to block requests by ip (for example 192.168.100.100):

location / {
    allow 192.168.100.100;
    deny all;
    uwsgi_pass backend-api:8000;
    include /etc/nginx/uwsgi_params;
}

Or you can check $remote_addr

if ($remote_addr != 192.168.100.100) {
   return 403;
   break;
}

Checking $host != "frontend.com" won't work because it check request parameter HOST and doesn't have anything with your current host.

CodePudding user response:

I think I resolved it already. I added the one highlighted below.

server {
    listen 80;
    server_name **subdomain.myserver.com**;
    
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;                    
                    
    set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
                    
    allow **ip_address_of_myserver**;
    deny all;
    
        
    location /static {
        alias /vol/static;
    }

    location / {    
        proxy_set_header X-Forwarded-For $remote_addr;
    
        uwsgi_pass backend-api:8000;
        include /etc/nginx/uwsgi_params;
    }

    add_header Strict-Transport-Security max-age=31536000 always;

    gzip on;
    gzip_comp_level 2;
    gzip_min_length 1024;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types application/x-javascript application/javascript application/xml application/json text/xml text/css text;

    client_max_body_size 10M;

    client_body_timeout 12;
    client_header_timeout 12;
    reset_timedout_connection on;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;

    expires 1y;
    access_log off;
    log_not_found off;

}

This works actually. The application only caters to requests coming from myserver and not from any other computer/server such as from postman. Anyway, if anyone, have a comment/suggestion on this to improve, please let me know. Thank you.

  • Related