Home > Software engineering >  Restrict access by IP in docker nginx container
Restrict access by IP in docker nginx container

Time:11-02

I've only been working on Docker for a short time, so I'm new to this and there are certain concepts that escape me. Currently, I have dockerized on an application and created an image of said application. On the other hand, the application was made years ago and connects to a MYSQL 5.7 database, so we have an image of this database. Finally, we have an Nginx image that works as a reverse proxy. By using my Docker-Compose, the whole system works correctly, being able to access my application without problems. We want this application to be accessible by certain IPs, so normally (without dockerizing), we use apache with the mod_proxy and mod_proxy_http to deny all access except from these IPs. But in docker, using docker-compose creates your internal network and the IP of the accessing client changes, so it denies all IPs.

As I have found more documentation of Nginx than of apache with docker, I am trying to configure it with it. But the same thing keeps happening to me when I allow my IP or that of another computer, it doesn't work, giving me the error that the server has denied access. Is there a way to add in the configuration that allows me certain real IPs? I know that it can be done on the server itself with IPtables rules, but we would like it to be all done through a docker image.

I don't care if it's done with Nginx or Apache, I've seen that in both they use a realIP mod, but above all to record accesses, I don't know how to use this in the allow or deny access part.

My docker-compose:

version: '3.0'
services:
   db:
     restart: always
     container_name: bd
     image: mysql:5.7
     environment:
       MYSQL_ROOT_PASSWORD: password
       MYSQL_DATABASE: app
     volumes:
       - dbdata:/var/lib/mysql
       - ./_MySQL_Init_Script:/docker-entrypoint-initdb.d
     ports:
       - "33306:3306"
   app:
     depends_on:
       - db
     restart: always
     container_name: app
     image: app:v1
   proxy:  
     container_name: proxy
     restart: always
     image: nginx
     depends_on:
       - db
       - app
     ports:
       - "80:80" 
     volumes:
       - ./default.conf:/etc/nginx/conf.d/default.conf:ro     
volumes:
    dbdata:

My default.conf:

server {
    listen       80;
    listen  [::]:80;
    server_name  localhost; 
    
    location / {      
    root   /usr/share/nginx/html;
    proxy_pass http://app:5885/;
        deny all;       
    Allow 192.X.X.X;
    Allow 192.X.X.X;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

The Nginx Container logs:

[error]23#23: *3 access forbidden by rule, client: 172.24.0.1, server localhost, request:"Get /api/Acceso/VersionApp HTTP/1.1" ...

CodePudding user response:

I managed to fix the problem. The application is being used on my work computer, which is a Windows with Docker Desktop. When trying to enter the web I did it from this same computer.

When putting the dockerized application into production, I pose it without Allow or Deny, simply by configuring the IPTables. When trying to access the web of the application it worked correctly, but when I see the Nginx logs, I see that my real IP appears and not that of the Docker container.

Therefore, I understand that the problem is related to the operation of Docker Desktop, since I did the test both with the wsl2 option activated and without the option activated.

Add, that when doing the test the first time in ubuntu, it gave me an error since default.conf was badly written. Allow must be lowercase, and IPs must be placed above all.

My final default.conf:

server {
    listen       80;
    listen  [::]:80;
    server_name  localhost; 

    location / {      
        root   /usr/share/nginx/html;
        proxy_pass http://app:5885/;
        allow 192.X.X.X;
        allow 192.X.X.X;
        deny all;         
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}
  • Related