I use the following config for nginx with http and stream. Each of them should include the same IP whitelist.
The whitelist looks like this:
allow 78.153.123.0/20;
allow 2a01:123::/32;
deny all;
My nginx config:
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log debug;
events {
worker_connections 1000;
multi_accept off;
}
http{
include /etc/nginx/server.whitelist;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
}
stream {
include /etc/nginx/server.whitelist;
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
access_log /var/log/nginx/access.log basic;
error_log /var/log/nginx/error.log info;
server {
resolver 9.9.9.9 [2606:4700:4700::1111] ipv4=off ipv6=on;
listen 443;
ssl_preread on;
proxy_pass $ssl_preread_server_name:443;
proxy_bind 2a10:xxxx:xxxx::xxxx:xxxx:xxxx:xxxx;
}
}
Example of request with curl:
:~$ curl http://45.77.xxx.xxx; curl https://45.77.xxx.xxx
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.23.3</center>
</body>
</html>
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 45.77.xxx.xxx:443
The configuration basically does what it should. Except for the http directive. The whitelist does not apply here. I have already tried to duplicate and include the file with a different name. Without success.
The log shows only forbidden by rule for the stream directive and GET with state 301 for http directive.
Is it possible to integrate the whitelist globally?
Is it because of the return that the whitelist doesn't take effect?
Thanks and Greetings
pr0
