I set up a wireguard instance in a docker container and use nginx proxy manager to set up all reverse proxy settings. Now I want the website to be only accessible when I am connected to the VPN.
I tried to add localhost as the forward address and set the only allow to the local server ip, but it doesn't work and just displays a cant connect to server message in my browser.
Add this to a server block (or a location or http block) in your nginx configuration:
allow IP_ADDRESS_OR_NETWORK; # allow only connections from Wireguard VPN network
deny all; # block the rest of the world
The allowed network has to match your specific Wireguard VPN network. All peer IP addresses which should have access must be part of the network range. Depending on your NAT settings, you should verify the actual IP address or network by checking the access log: tail -f /var/log/nginx/access.log
Be sure to reload your nginx config to apply changes: service nginx reload
See also http://nginx.org/en/docs/http/ngx_http_access_module.html for usage hints on the HTTP access module.
Related
In the project I am working on, there is an application that works on many docker containers. To access one of the containers I need to add the following path in the /etc/hosts file
127.0.0.1 my.domain.com
Then App of course is available on http://my.domain.com in my computer.
Unfortunately, This is large complicated application and I cannot change the configuration to add a port (then i would use 192.168.X.X:PORT from other device)? so How I would to be able to access the application from other device in local network (WIFI or other way)? I try using localtunnel or ngrok but this works too slow and aren't good in this case.
Maybe someone knows another way?
If your server is running on ip 192.168.X.X on you local network, adding the line:
192.168.X.X my.domain.com
to the second device on your network should do the job
Another solution is to run a proxy server on the same instance as your server and send all the requests to the proxy server. The proxy server will listen on another port but it will forward all the requests to my.domain.com with the original port, it will work since it uses the same /etc/hosts.
try using nginx-webserver proxy it's free version it offers the feature what you want.
add a reverse proxy and host your app with my.domain.com
OR
Host your app on port :80 ie. the default port
I'm running a public proxy server and would like to block clients from accessing local devices on the server.
Local devices are on 10.0.0.0/8.
The proxy server runs on 127.0.0.1:31336. Access to the proxy server is made by reverse proxy on nginx which is listening on a public IP address.
Would an iptables rule like "reject 127.0.0.1:31336 from accessing 10.0.0.0/8" work? If so can I get an example iptables command to do so?
If not, would I have to work with network namespaces to achieve what I am seeking for?
why would you even use iptables for blocking client of a nginx, anyway follow this tutorial it will show you how you can allow or deny an ip or range ip : https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/
I leave my doubt here so that eventually people with more knowledge about Nginx can help me.
I have an application that uses port 2083, working as follows:
User -> Server where Nginx Proxy is hosted (Machine 1) -> Real IP of the application (Machine 2).
My goal is that the user when connecting (after Nginx redirection) on machine 2 (where the application is hosted) cannot be able to view the real machine's IP (in order to prevent any DDoS attacks).
It turns out that after connecting to the application and opening the command prompt(cmd), typing netstat -n displays the real IP address of the machine (which I want to hide).
Would it be possible to do this (hide real IP) using Nginx itself? All redirects are working perfectly, I just want to hide the IP address of the machine where the application is hosted.
I took a read about the IPTables function "MASQUERADING", tried both machines and it didn't work. The netstat IP address is still displayed. I have also tested the parameter "proxy_bind $ remote_addr transparent;" from Nginx, without success.
my code in nginx.conf:
server {
listen 2083;
proxy_pass IP_MYSERVER: 2083;
}
}
I have a VM running on GCP and got my docker installed on it. I have NGINX web server running on it with a static reserved external/public IP address. I can easily access this site by the public IP address. Now, I have my Artifactory running on this VM as a Docker container and the whole idea is to access this Docker container (Artifactory to be precise) using the same public IP address with a specific port, say 8081. I have configured the reverse proxy in the NGINX web server to bypass the request to the internal IP address of my docker container of Artifactory but the request is not reaching to it and cannot access the Artifactory.
Docker container is running:-
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a4119d923hd8 docker.bintray.io/jfrog/artifactory-pro:latest "/entrypoint-artifac…" 57 minutes ago Up 57 minutes 0.0.0.0:8081->8081/tcp my-app-dev-artifactory-pro
Here are my reverse proxy settings:-
server {
listen 81;
listen [::]:81;
server_name [My External Public IP Address];
location / {
proxy_pass https://localhost:8081;
}
}
Since you are using GCP to run this, I think that your issue is very simple. First, you do not have to have an Nginx in order to get to Artifactory inside a Docker container. You should be able to reach it very easily using the IP and port (for example XX.XX.XX.XX:8081) and I can see that in the Nginx configuration you are listening to port 81 which is not in use by Artifactory. I think that the issue here is either you did not allow HTTP communication to your GCP instance in the instance configuration, or you did not map the port in the "docker run" command.
You can see if the port is mapped by running the command "docker ps" and see if in the "PORTS" section there are ports that are mapped. If not, you will need to map the port (8081 to 8081) and make sure you GCP instance have HTTP traffic enabled, then you will be able to get to Artifactory with IP:PORT.
I have a server which hosts several Docker containers including an Nginx reverse proxy to serve content. In order to get status of this server I have added the following location block:
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 172.0.0.0/8;
deny all;
}
Under normal circumstances I would only have opened up 127.0.0.1 but that means that the host machine would not have access (only the Nginx container itself would) so I opened up all of the 172 addresses. Is there a cleaner/more secure way of doing this or is my approach reasonable for a production environment?
When docker starts it creates an interface docker0 that is an ethernet bridge, and assigns it an IP address. Docker tries to choose a smart default, and the 172.17.0.0/16 range is a good default. The host will route all traffic destined for that network to the docker0 bridge, and it's not accessible externally unless you've mapped a port.
In your question you've allowed 172.0.0.0/8, some of which is not RFC1918 private address space. You could restrict this further to either all of the addresses in the Docker network driver source I linked before, or simply 172.17.0.0/16 since that's the first in the list and is usually used.