Join Log in
Score:0
user414873 avatar Server

IP-Filtering on Apache-nginx-Combo

in flag
user414873

we have the request to secure a domain by restricting access to the ip-ranges of a WAF-Cloud. The server runs Apache for PHP and nginx as reverse-proxy-server, so the chain from browser to website is presumably: Client <-> DNS <-> WAF <-> nginx <-> Apache

From looking in the logs I found that requests fulfilled by nginx do come from the ips of the WAF, that anwered by Apache not (I see my own ip-address in the logs when going to the website). nginx is configured using Plesk to be in proxy mode with smart static files processing.

Applying the directives to Apache (htaccess) leads to 403, which is no suprise because it does not get requests from the WAF-server.

I couldn't apply the directives to nginx using Plesk (Additional directives). This gives me an error message. I tried

location / {
    allow 199.83.128.0/21;
    allow 2a02:e980::/29;
    deny all;
}

nginx: [emerg] duplicate location "/" in /var/www/vhosts/system/example.co/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

This server runs Plesk 17.8.11, nginx 1.14.2 and Apache 2.4.7 on Ubuntu 14.04.6. This server hosts several domains.

Is the way I try to solve this correct? Why do I get this error?

Adding conf-file of the domain containing location directive:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

server {
    listen 00.000.00.00:443 ssl http2;

    server_name example.com;
    server_name www.example.com;
    server_name ipv4.example.com;

    ssl_certificate             /opt/psa/var/certificates/scfPNclj5;
    ssl_certificate_key         /opt/psa/var/certificates/scfPNclj5;
    ssl_client_certificate      /opt/psa/var/certificates/scf58Rxns;

    client_max_body_size 128m;

    proxy_read_timeout 300;

    root "/var/www/vhosts/example.com/httpdocs";
    access_log "/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log";
    error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";

    if ($host ~* ^superglass\.de$) {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }

    #extension letsencrypt begin
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/vhosts/default/htdocs;

        types { }
        default_type text/plain;

        satisfy any;
        auth_basic off;
        allow all;

        location ~ ^/\.well-known/acme-challenge.*/\. {
            deny all;
        }
    }
    #extension letsencrypt end

    location / {
        proxy_pass https://00.000.00.00:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;

    }

    location /internal-nginx-static-location/ {
        alias /var/www/vhosts/example.com/httpdocs/;
        internal;
    }

    location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
        proxy_pass https://00.000.00.00:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;

    }

    location ~ "^/files/" {
        proxy_pass https://00.000.00.00:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;

    }

    add_header X-Powered-By PleskLin;

    include "/var/www/vhosts/system/example.com/conf/vhost_nginx.conf";
}

server {
    listen 00.000.00.00:80;

    server_name example.com;
    server_name www.example.com;
    server_name ipv4.example.com;

    client_max_body_size 128m;

    proxy_read_timeout 300;

    if ($host ~* ^superglass\.de$) {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }

    return 301 https://$host$request_uri;
}

There is another file included in 'var/www/...', which is empty. Probably I should add my stuff there.

109
1 + 2
ajmeese7 avatar
cn flag
ajmeese7
We need to see your full configs, my guess is that you already have the `/` directive defined somewhere as the error message says.
0
Reply
user414873 avatar
in flag
user414873
'nginx -V' gave me the conf-path, lot of nested includes there, found 'location' in '/etc/nginx/plesk.conf.d/server.conf' and '/etc/nginx/plesk.conf.d/vhosts/example.com.conf'. All that files have a comment that warns to modify them, because Plesk will likely overwrite that changes.
0
Reply
Score:1
Thomas avatar Server
lt flag
Thomas

Forget the location setting in "Additional Nginx Directives". Scroll up on Plesk's "Apache & nginx Settings" page to the "Deny access to the site" section. There you can simply enter your IP addresses or IP address ranges that you want to "allow" or "deny" and Plesk will handle it correctly for you regardless of whether you are using Nginx-only or proxy mode.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.