Nginx stream block with wildcard filtering of subdomains

Zareh Kasparian

1/23/23, 9:01 PM

I have set up an Nginx server as L4 Proxy(Forward Proxy With Stream Module), with the following configuration in the nginx.conf file;

stream {
resolver 8.8.8.8;
server {
    listen 443;
    ssl_preread on;
    proxy_connect_timeout 5s;
    proxy_pass $ssl_preread_server_name:$server_port;
  } 
}

everything works fine, with the configuration above. but let's say I want to limit the access of the URLs passing to my proxy server.Not by limiting the IP address but with URL names.
I did a research and setup the following configuration file and somehow I was able to control the URLs passing to my proxy.
But the issue starts from here. If a large website is called, since it has many links or subdomains loaded behind the scene, and knowing that I have limited the URLs allowed to pass, and wildcarding subdomains is not working in stream block, I am not able to load the requested website completely.
Is there a solution to have it used in stream block to support wildcard for subdomain of domain? my new configuration is as below:

stream {


 map $ssl_preread_server_name $name {
     ipchicken.com ipchicken.com;
     www.bbc.com www.bbc.com;
     www.bbc.co.uk www.bbc.co.uk;
     bbci.co.uk bbci.co.uk;
}


server {

    resolver 8.8.8.8;
    listen 443;
    ssl_preread on;
    proxy_connect_timeout 5s;
    proxy_pass $name:$server_port;
   }
 }

 events {
}

499

0 + 0

nginx

transparent-proxy

Score:3

Server

Ivan Shatsky

1/24/23, 1:40 AM

You are looking for the hostnames keyword. With this keyword you can use *.example.com as a wildcard entry for example.com domain. Similarly as for server_name directive you can use .example.com for both example.com and *.example.com:

map $ssl_preread_server_name $name {
    hostnames;
    .ipchicken.com    $ssl_preread_server_name;
    .bbc.com          $ssl_preread_server_name;
    .bbc.co.uk        $ssl_preread_server_name;
    .bbci.co.uk       $ssl_preread_server_name;
}

As an alternative you can use any regex within the map block, i.e.

map $ssl_preread_server_name $name {
    # covers 'bbc.com', 'www.bbc.com' and 'static.bbc.com':
    ~^(?:www\.|static\.)?bbc\.com$    $ssl_preread_server_name;
    ...
}

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx stream block with wildcard filtering of subdomains

TH: บล็อกสตรีม Nginx พร้อมการกรองไวด์การ์ดของโดเมนย่อย

RO: Bloc de flux Nginx cu filtrare cu wildcard a subdomeniilor

RU: Блокировка потока Nginx с фильтрацией субдоменов по подстановочным знакам

VI: Khối luồng Nginx với bộ lọc ký tự đại diện của tên miền phụ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.