Hello,
I am trying to restrict some Location block in my Nginx configuration to
specific IPs. Below are the changes I made -
Version: nginx:1.21.0
location / {
> proxy_pass http://127.0.0.1:8080;
> }
>
location = /auth {
> proxy_pass http://127.0.0.1:8080;
> allow 1.2.3.4/8;
> allow 5.6.7.8/16;
> allow my.vpn.ip.here;
> allow my.public.ip.here;
> deny all;
> error_page 403 /usr/share/nginx/html/403.html;
> auth_basic "Administrator’s area";
> auth_basic_user_file /etc/nginx/.htpasswd;
> }
>
Here, the deny rule is not working. Users are still able to access the page
publicly. Am I missing something?
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230123/98dbc8d7/attachment.htm>
Hi Sandeep,
I rather suspect that your top two CIDR allow lines are allowing too
many people in.
Remove them, and check that only the last two lines are
allowed in.
Then create the two top addresses very carefully, and test.
1.2.3.4/8 allows all C level addresses of the format 1.*.*.* in. I think
you need 1.2.3.4/24 which allows all of the format
1.2.3.*
Hope this helps.
Ian
On 23/01/2023 16:34, sandeep dubey wrote:
> Hello,
>
> I am trying to restrict some Location block in my Nginx configuration to
> specific IPs. Below are the changes I made -
>
> Version: nginx:1.21.0
>
> location / {
> proxy_pass http://127.0.0.1:8080 <http://127.0.0.1:8080>;
> }
>
> location = /auth {
> proxy_pass http://127.0.0.1:8080 <http://127.0.0.1:8080>;
> allow 1.2.3.4/8 <http://1.2.3.4/8>;
> allow 5.6.7.8/16 <http://5.6.7.8/16>;
> allow my.vpn.ip.here;
> allow my.public.ip.here;
> deny all;
> error_page 403 /usr/share/nginx/html/403.html;
> auth_basic "Administrator’s area";
> auth_basic_user_file /etc/nginx/.htpasswd;
> }
>
> Here, the deny rule is not working. Users are still able to access the
> page publicly. Am I missing something?
>
> --
> Regards,
> Sandeep
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
--
Ian Hobson
Tel (+66) 626 544 695
> I am trying to restrict some Location block in my Nginx configuration to
> specific IPs. Below are the changes I made -
>
> location = /auth {
> }
>
> Here, the deny rule is not working. Users are still able to access the
> page publicly. Am I missing something?
Are you sure that the request is exactly /auth since anything else like /auth/ or /auth/something will land in the first location block without any restrictions defined.
Try to remove the '=' and see if it works then.
rr
Thanks Ian for the reply.
I did it because the container was failing to start with the error below,
will restrict that too. -
> [error] 7#7: *1 connect() failed (111: Connection refused) while
> connecting to upstream, client: 10.10.0.38, server: _, request: "GET
> /api/saml-links HTTP/1.1", upstream: "http://127.0.0.1:8000/api/saml-links",
> host: "10.18.9.132:80"
>
On Mon, Jan 23, 2023 at 5:27 PM Ian Hobson <hobson42 at gmail.com> wrote:
> Hi Sandeep,
>
> I rather suspect that your top two CIDR allow lines are allowing too
> many people in.
>
> Remove them, and check that only the last two lines are
> allowed in.
>
> Then create the two top addresses very carefully, and test.
>
> 1.2.3.4/8 allows all C level addresses of the format 1.*.*.* in. I think
> you need 1.2.3.4/24 which allows all of the format
> 1.2.3.*
>
> Hope this helps.
>
> Ian
>
> On 23/01/2023 16:34, sandeep dubey wrote:
> > Hello,
> >
> > I am trying to restrict some Location block in my Nginx configuration to
> > specific IPs. Below are the changes I made -
> >
> > Version: nginx:1.21.0
> >
> > location / {
> > proxy_pass http://127.0.0.1:8080 <http://127.0.0.1:8080
> >;
> > }
> >
> > location = /auth {
> > proxy_pass http://127.0.0.1:8080 <http://127.0.0.1:8080
> >;
> > allow 1.2.3.4/8 <http://1.2.3.4/8>;
> > allow 5.6.7.8/16 <http://5.6.7.8/16>;
> > allow my.vpn.ip.here;
> > allow my.public.ip.here;
> > deny all;
> > error_page 403 /usr/share/nginx/html/403.html;
> > auth_basic "Administrator’s area";
> > auth_basic_user_file /etc/nginx/.htpasswd;
> > }
> >
> > Here, the deny rule is not working. Users are still able to access the
> > page publicly. Am I missing something?
> >
> > --
> > Regards,
> > Sandeep
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
>
> --
> Ian Hobson
> Tel (+66) 626 544 695
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230124/2bff6320/attachment.htm>
Thanks Reinis for the reply,
There are other locations like /auth, /auth/, /auth/admin, /auth/admin/ and
few more which have the same rules. I am trying to restrict access to /auth
and /auth/admin which are sensitive for public access. Do you think
removing "=" can help in this case?
On Mon, Jan 23, 2023 at 6:08 PM Reinis Rozitis <r at roze.lv> wrote:
> > I am trying to restrict some Location block in my Nginx configuration to
> > specific IPs. Below are the changes I made -
> >
> > location = /auth {
> > }
> >
> > Here, the deny rule is not working. Users are still able to access the
> > page publicly. Am I missing something?
>
> Are you sure that the request is exactly /auth since anything else like
> /auth/ or /auth/something will land in the first location block without any
> restrictions defined.
> Try to remove the '=' and see if it works then.
>
> rr
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230124/d42ae26c/attachment.htm>
> There are other locations like /auth, /auth/, /auth/admin, /auth/admin/ and few more which have the same rules. I am trying to restrict access to /auth and /auth/admin which are sensitive for public access. Do you think removing "=" can help in this case?
'=' in location definition means that nginx will use it only on exact uri match.
if you have location = /auth {} but client requests /auth/admin (unless you have also location = /auth/admin) then that particular location configuration won't be used and will match the 'location / {}' which in your configuration sample was proxied without any deny rules.
By removing the '=' it means all the /auth, /auth/* requests will be processed in that location.
Good to also check the documentation on it http://nginx.org/en/docs/http/ngx_http_core_module.html#location
rr
Just adding, if it's `location /auth {}`, it'll also match /autha, /authb, /authsomething/something, not just limited to /auth/*.
On Wed, Jan 25, 2023, at 01:56, Reinis Rozitis wrote:
>> There are other locations like /auth, /auth/, /auth/admin, /auth/admin/ and few more which have the same rules. I am trying to restrict access to /auth and /auth/admin which are sensitive for public access. Do you think removing "=" can help in this case?
>
>
> '=' in location definition means that nginx will use it only on exact uri match.
>
> if you have location = /auth {} but client requests /auth/admin (unless
> you have also location = /auth/admin) then that particular location
> configuration won't be used and will match the 'location / {}' which in
> your configuration sample was proxied without any deny rules.
>
> By removing the '=' it means all the /auth, /auth/* requests will be
> processed in that location.
>
> Good to also check the documentation on it
> http://nginx.org/en/docs/http/ngx_http_core_module.html#location
>
> rr
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
I have attached my config file which may help to understand it better. With
this change, I am getting "404 - Not Found" error and in log it says
[error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server: _,
request: "GET /auth/ HTTP/1.1", host: "my.domain.info", referrer: "
https://my.domain.info"
It seems that the rule is working but at some wrong place, I am not sure
how to organise or set the right sequence here.
On Tue, Jan 24, 2023 at 10:26 PM Reinis Rozitis <r at roze.lv> wrote:
> > There are other locations like /auth, /auth/, /auth/admin, /auth/admin/
> and few more which have the same rules. I am trying to restrict access to
> /auth and /auth/admin which are sensitive for public access. Do you think
> removing "=" can help in this case?
>
>
> '=' in location definition means that nginx will use it only on exact uri
> match.
>
> if you have location = /auth {} but client requests /auth/admin (unless
> you have also location = /auth/admin) then that particular location
> configuration won't be used and will match the 'location / {}' which in
> your configuration sample was proxied without any deny rules.
>
> By removing the '=' it means all the /auth, /auth/* requests will be
> processed in that location.
>
> Good to also check the documentation on it
> http://nginx.org/en/docs/http/ngx_http_core_module.html#location
>
> rr
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230125/4b38bcfb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ngxinx.conf
Type: application/octet-stream
Size: 4979 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230125/4b38bcfb/attachment.obj>
Thanks Daniel for the reply.
I have attached my config file for reference in a previous reply.
On Wed, Jan 25, 2023 at 10:58 AM nanaya <me at nanaya.net> wrote:
> Just adding, if it's `location /auth {}`, it'll also match /autha, /authb,
> /authsomething/something, not just limited to /auth/*.
>
> On Wed, Jan 25, 2023, at 01:56, Reinis Rozitis wrote:
> >> There are other locations like /auth, /auth/, /auth/admin, /auth/admin/
> and few more which have the same rules. I am trying to restrict access to
> /auth and /auth/admin which are sensitive for public access. Do you think
> removing "=" can help in this case?
> >
> >
> > '=' in location definition means that nginx will use it only on exact
> uri match.
> >
> > if you have location = /auth {} but client requests /auth/admin (unless
> > you have also location = /auth/admin) then that particular location
> > configuration won't be used and will match the 'location / {}' which in
> > your configuration sample was proxied without any deny rules.
> >
> > By removing the '=' it means all the /auth, /auth/* requests will be
> > processed in that location.
> >
> > Good to also check the documentation on it
> > http://nginx.org/en/docs/http/ngx_http_core_module.html#location
> >
> > rr
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230125/933b4073/attachment-0001.htm>
> [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server: _, request: "GET /auth/ HTTP/1.1", host: "http://my.domain.info", referrer: "https://my.domain.info"
It seems that the rule is working but at some wrong place, I am not sure how to organise or set the right sequence here.
Just from the log it seems correct - you have a rule to allow 10.48.0.0/24; but the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is just a single C subnet 10.48.0.1-254).
Then again, your whole configuration would be simpler with just a single location block (since it doesn't seem you have an application which uses /auth without a trailing slash):
location /auth/ {
allow 172.20.0.0/24;
allow 10.48.0.0/24;
#allow vpn1.ip.here;
allow vpn2.ip.here;
deny all;
proxy_pass http://127.0.0.1:8080;
auth_basic "Restricted area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
If you wanted to get the basic http auth for those who are not within allowed ip ranges you need to add 'satisfy any;' directive [1]
Also:
error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a relative uri not a full path in filesystem this is why nginx also returns 404 (as it can't find the error page) instead of 403 forbidden.
If /usr/share/nginx/html is your default nginx webroot you can just specify:
error_page 403 /403.html;
If you store your error pages in different webroot add something like this:
location /403.html {
root /usr/share/nginx/html;
}
Also your attached configuration has duplicate 'location /' directives. Nginx should complain about invalid configuration. Are you sure you are testing correctly?
[1] http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy
rr
Thanks Reinis for the response and suggestions.
I made the changes and unfortunately couldn't make it work. Later realised
that we are running a Nginx Controller in GKE env., So assuming that the
restriction changes should be done at controller level and not in the Nginx
(not very sure).
On Wed, Jan 25, 2023 at 6:59 PM Reinis Rozitis <r at roze.lv> wrote:
> > [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server:
> _, request: "GET /auth/ HTTP/1.1", host: "http://my.domain.info",
> referrer: "https://my.domain.info"
> It seems that the rule is working but at some wrong place, I am not sure
> how to organise or set the right sequence here.
>
>
> Just from the log it seems correct - you have a rule to allow 10.48.0.0/24;
> but the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is
> just a single C subnet 10.48.0.1-254).
>
> Then again, your whole configuration would be simpler with just a single
> location block (since it doesn't seem you have an application which uses
> /auth without a trailing slash):
>
> location /auth/ {
> allow 172.20.0.0/24;
> allow 10.48.0.0/24;
> #allow vpn1.ip.here;
> allow vpn2.ip.here;
> deny all;
> proxy_pass http://127.0.0.1:8080;
> auth_basic "Restricted area";
> auth_basic_user_file /etc/nginx/.htpasswd;
> }
>
> If you wanted to get the basic http auth for those who are not within
> allowed ip ranges you need to add 'satisfy any;' directive [1]
>
> Also:
> error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a
> relative uri not a full path in filesystem this is why nginx also returns
> 404 (as it can't find the error page) instead of 403 forbidden.
>
> If /usr/share/nginx/html is your default nginx webroot you can just
> specify:
>
> error_page 403 /403.html;
>
> If you store your error pages in different webroot add something like this:
>
> location /403.html {
> root /usr/share/nginx/html;
> }
>
> Also your attached configuration has duplicate 'location /' directives.
> Nginx should complain about invalid configuration. Are you sure you are
> testing correctly?
>
> [1] http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy
>
> rr
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
--
Regards,
Sandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230127/a65f06d1/attachment.htm>