Only allow local addresses using nginx reverse proxy when accessed from external web URL address

anarchy · 22 January 2023 20:07

I have set up a vaultwarden server locally, nginx and have linked it to the website xxx.ddnsfree.com. I can access it fine using xxx.ddnsfree.com.

I am trying to make it so that I can only access the server at xxx.ddnsfree.com from a local ip address, but from the link and not the ip address of the server. My server sits at 192.168.1.66.

This is what my /etc/nginx/sites-dietpi/vaultwarden.conf file looks like.

I added allow 192.168.1.0/24 and deny all.

    location / {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass https://127.0.0.1:8001;
      allow 192.168.1.0/24;
      deny all;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass https://127.0.0.1:8001;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass https://127.0.0.1:3012;
    }

All my devices are 192.168.1.xx.

It works fine if I remove those lines, but when I add them, I get a 403 Forbidden error.

However, it works if I go to 192.168.1.66 (local ip of my server) from the web browser.

How can I fix this? What am I doing wrong? I need to be able to access it from the url address.

trendy · 23 January 2023 10:22

If you are using the ddns name, which resolves into a public IP, then the request to the server will come most likely from the public IP of the router. Therefore it is expected to be blocked. You can verify that with a tcpdump on the server.

anarchy · 24 January 2023 05:22

How do I check and how do I unblock it?

trendy · 24 January 2023 07:55

Check the nginx logs what has been blocked and from which source address.

Joulinar · 24 January 2023 08:14

Still, what is not clear to me, why are you trying to access Nginx via DDNS URL. But on the other hand side, you like to allow local IP range only? Why not going to access via local IP? What is the reason for this exercise? The challenge is, your external IP change over time. Means you can’t just allow one. It would need to be a wider range.