Score:0

NGINX access module and internal DNS: How to allow only local clients

cn flag

I searched through serverfault but couldn't find an answer to this. Maybe I just don't know the right keyword or it's a conceptual misunderstanding. Any help would be appreciated!

The situation:

  1. My local services are running behind an NGINX reverse proxy
  2. I use a LAN DNS on the router (Draytek) to resolve local requests to *.example.com directly to my local server (192.168.1.2).

Even if there is no internet connection, the domains will be resolved to the local server and all services are accessible. That's why I use the LAN DNS. So far, so good.

Now I want to only allow local clients to access certain services by using the NGINX access module with:

allow 192.168.1.0/24;
deny all;

But NGINX only sees the public IP of the router instead of the IP of the client (192.168.1.100) and so every request is refused:

[...] access forbidden by rule, client: 123.123.123.123, server: service.example.de, request: [...]"

My question is:

How can I distinguish between local and remote clients on NGINX in this scenario?

Link to network diagram


vidarlo avatar
ar flag
Don't use NAT. DNS does *not* rewrite any IP's.
Score:0
ru flag

First an assumption/condition, which is to check if your router adds the X-Forwarded-For header or something similar (keeps trace of the actual client IP)

You should resolve the client IP first, through ngx_http_realip_module

The example configuration provided there:

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

With this, the IP used for access checks should be the correct one (actual client).

One caveat is that with such configuration, attempts to add the router to the X-Forwarded-For header cannot be done automatically with proxy_add_x_forwarded_for, as the IP added through will have been altered by the previous directive. That specific case has been discussed on stack overflow

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.