How to restrict access to a site by IP through nGinx?-CodePudding

I have a website that can be accessed by entering the IP address. I want to make it accessible only through the domain. There is little suitable material on the Internet, there is no good explanation of what to replace in the ode of the nginx.conf file.

In my file already has 2 sections named server.

 server {
        listen 80;
        server_name avoe.com;
        rewrite ^ https://avoe.com$request_uri? permanent;
    }

server {
        listen                      443 ssl;
        server_name                 avoe.com;
        ssl_certificate             /etc/ssl/__reksoft_ru.crt;
        ssl_certificate_key         /etc/ssl/private.key;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_ciphers                 HIGH:!aNULL:!MD5;

        add_header X-Frame-Options "SAMEORIGIN";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

        client_body_buffer_size         8k;
        client_max_body_size            20m;
        client_body_in_single_buffer    on;
        client_header_buffer_size       1m;
        large_client_header_buffers 4   8k;

        location /Intra/api/thumbor/ {
            proxy_pass http://thumbor/;
        }

        location /solr {
            proxy_pass http://solr;
        }

        location /minio {
            proxy_pass http://minio;
        }

        location /activemq {
            proxy_pass http://activemq;
        }


        location / {
            proxy_pass http://wildfly/;

            proxy_buffer_size 16k;
            proxy_buffers 16 16k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;
            proxy_read_timeout 180s;

            proxy_set_header   Host              $host;
            proxy_set_header   X-Real-IP         $remote_addr;
            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;

            if ($request_method !~ ^(GET|HEAD|POST|DELETE|PUT)$ ) {
                return 405;
            }
        }

What to add or replace where so that access is ONLY by domain?

CodePudding user response：

You could ensure the HTTP Host header is set to avoe.com like this:

if ($http_host != 'avoe.com') {
    return 301 https://avoe.com$request_uri;
}

CodePudding user response：

You can use a default server block to capture all requests where Host HTTP header mismatch any of the server names specified with the server_name directive in any other defined server blocks. To do it you can use the default_server flag for the listen directive:

server {
    listen 80 default_server;
    listen 443 default_server ssl;
    ssl_certificate /some/path/file.crt;
    ssl_certificate_key /some/path/file.key;
    return 444; # silently drop the connection
}

See the How nginx processes a request official documentation page for the additional details or this answer for even more details.

The above configuration will require a valid certificate/key pair. You don't need to expose your certificate for avoe.com domain (moreover, generally you don't want an attacker to see what domain is hosted on your server), so any self-signed certificate will be enough for the above server block. For generating a pair of self-signed key/cert in one line you can use the following command:

openssl req -nodes -new -x509 -subj "/CN=localhost" -keyout /some/path/file.key -out /some/path/file.crt

CodePudding user response：

use this config as the server that listens on port 80:

server {
    listen 80;
    server_name avoe.com default_server;

    if ($host = avoe.com) {
         return 301 https://$host$request_uri;
    }
    return 404;
}