Join Log in
Score:0
transient_loop avatar Server

Bind nginx to vpn address only

ru flag
transient_loop

I am probably unnecessarily paranoid. But still also I think paranoid isn't too bad when it comes to security.

I have a web server running on a VPS. I run zerotier on all my VPS and my home machines. I then use Letsencrypt to run a https webserver.

Therefore, I have a DNS entry pointing to my webserver with the zerotier VPS address: myzerotier_webserver.mydomain.com 172.29.70.241.

Now, I'd like to restrict access to my webserver to only participants in the zerotier network.

I tried this:

        listen 127.0.0.1:443 ssl http2;
        listen 172.29.0.0:443 ssl http2;

But this doesn't seem to work accessing this server from my connected home laptop entering myzerotier_webserver.mydomain.com in the browser.

I also tried by replacing 172.29.0.0 with the actual IP address of the VPS, e.g. 172.29.70.241.

But it also didn't work.

Is this actually doable in some way? Should I do it differently maybe? Maybe it should work so the issue is some other configuration I got wrong?

340
2 + 2
vpn
ip
bjoster avatar
cn flag
bjoster
Which webserver you are using? Nginx will get it's listeners from the line `listen <ip>:<port>`. If this doesn't work as expected, a line from the access log would be helpful.
0
Reply
transient_loop avatar
ru flag
transient_loop
I now know why this wasn't working: I was running nginx in a docker container, and the client IP was appearing as yet another network via `docker compose`: 192.168.80.1. Which means even the accepted solution actually doesn't work. In order to make it work, I had to extract nginx to run on the host, not in a container. Now I can filter by VPN address AND I can use multiple `server` instances of nginx listening to the same ports without interfering.
1
Reply
Score:1
NukDokPlex avatar Server
pg flag
NukDokPlex

There is also an option to make it through NGINX configs, here it is:

location / {
  allow 45.43.23.0/24; # Change this to appropriate range
  deny all;
}
+ 1
transient_loop avatar
ru flag
transient_loop
I like both suggestions, but prefer the ufw approach as I am personally likely to keep an eye on those rather more often. Thank you!
0
Reply
Score:1
NukDokPlex avatar Server
pg flag
NukDokPlex

If you are using UFW, you can just simply allow port access only for specific ranges. Here is an example:

ufw allow from 172.29.70.0/24 to any port 443 proto tcp comment "HTTPS only zerotier"

Change 172.29.70.0/24 to appropriate range.

Also don't forget to make default traffic rules:

ufw default allow outgoing

ufw default deny incoming

And enable UFW:

ufw enable && ufw reload

+ 1
NukDokPlex avatar
pg flag
NukDokPlex
if you are accessing your server through ssh, don't forget to allow it's port: `ufw allow from any to any port 22 proto tcp comment SSH`. Execute this command BEFORE enabling UFW
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.