How can I redirect access logs to alternative file if requests come from my local network (e.g. 192.168.x.x)?
I've found some hints how I can disable logs based on requester IP, but in my case I want to log these requests to another file so that for development purposes I'd see only my own logs only in that specific file.
The answer is in your referenced pages, you just need to reverse the 1s and the 0s.
This should work:
map $remote_addr $private_ip {
~^192\.168\. 1;
default 0;
}
map $remote_addr $public_local {
~^192\.168\. 0;
default 1;
}
server {
...
# access-private.log for requests from local network
access_log /path/to/access-private.log main if=$private_ip;
# access.log for all other requests
access_log /path/to/access.log main if=$public_ip;
...
}
See this and this for details.
EDIT: Actually the geo directive is more appropriate for mapping a $remote_addr:
geo $private_ip {
192.168.0.0/16 1;
default 0;
}
geo $public_local {
192.168.0.0/16 0;
default 1;
}
See this document for details.
Related
I have two domain names, each for different applications hosted in a single kubernetes cluster.
Is there a way to configure ingress to redirect to the different apps based on the hostname in the request it receives?
For example:
www.app1.com and www.app2.com point to the same IP address. However, I want www.app1.com to redirect to /appABC while www.app2.com redirect to /appXYZ.
I have attempted to capture the host name and use this to determine the redirect but it doesn't work.
Is what I'm trying to do possible with NGINX?
Yes,it is Possible. You must need to create two configuration files and point them to their respective paths. Please follow this link for more info and refer to this SO also to get further idea on how to use.
After some experimentation, using the NGINX Playground, I was able to come up with this solution.
...
nginx.ingress.kubernetes.io/server-snippet: |
set $is_app1_base 1;
set $is_app2_base 1;
if ($host !~ "^.*app1\.com$" ) {
set $is_app1_base 0;
}
if ($request_uri != "/") {
set $is_app1_base 0;
set $is_app2_base 0;
}
if ($is_app1_base = 1) {
return 301 $scheme://$host/appABC;
}
if ($host !~ "^.*app2\.com$" ) {
set $is_app2_base 0;
}
if ($is_app2_base = 1) {
return 301 $scheme://$host/appXYZ;
}
In case you're wondering why a number of if statements had to be used this way, NGINX is not that great with if statements and logical operations.
Another caveat worth stating here is that all ingresses associated with this NGINX controller will be affected by this server-snippet; Because nginx.ingress.kubernetes.io/server-snippet is a global annotation.
I'm setting up an NGINX server and need to configure it to allow only certain IPs access to the root of a react application, but allow all to a certain subfolder (react route). Basically I need to allow all traffic to /sub/ but only a handful of IPs to the home directory /.
I tried
location /sub/* { allow all;}
location / {
allow x.x.x.x;
deny all;}
but was getting a 403 error when using any other IP address except the 'x.x.x.x'.
What's the correct way to achieve this?
Thanks.
Here is what you can try to do:
map $uri $disallow_by_route {
~^/subroute/ ""; # allow /subroute/... for all
default 1;
}
map $remote_addr $disallow {
x.x.x.x ""; # some allowed IP
y.y.y.y ""; # another allowed IP
default $disallow_by_route;
}
server {
...
location / {
if ($disallow) { return 403; }
...
}
}
However if your allowed pages used some assets (js, css, images etc.) from some other path than /subroute/... this config won't let them to load on restricted IPs. You can try to allow them checking the value of HTTP Referer header with a more complex map blocks chain:
map $http_referer $disallow_by_referer {
# use a regex for your actual domain here
~^https?://example\.com/subroute/ "";
default 1;
}
map $uri $disallow_by_route {
~^/subroute/ "";
# list all the other possible assets extensions (png, gif, svg, webp etc.) here
~\.(?:js|css)$ $disallow_by_referer;
default 1;
}
map $remote_addr $disallow {
x.x.x.x ""; # some allowed IP
y.y.y.y ""; # another allowed IP
default $disallow_by_route;
}
server {
...
location / {
if ($disallow) { return 403; }
...
}
}
Please note that this solution won't work if your server configuration (or react app itself) sets the referer policy to no-referer.
I want to block some user agents but NGinx seems not to see it.
I did use the map
calling the map from the http section and having the test in the server section (like show on many tutorials)
map $http_user_agent $badagent {
default 0;
~*archive.org_bot 1;
~*Anemone 1;
~*Ant.com 1;
~*Baidu 1;
~*Bot/1.0 1;
~*Companybook 1;
~*Go-http-client 1;
~*Pcore-HTTP 1;
}
then in the server section
if ($badagent) {
return 444;
}
i've tried that too
if ($badagent = 1) {
return 444;
}
to make it easier i even tried that :
if ($http_user_agent="Mozilla") {return 404;}
and
if ($http_user_agent = "Mozilla") {return 404;}
there is no error, but even after restart, my browser is not blocked. What did i did wrong ?
I found the issue.
I have a nginx.conf file AND a mydomain.conf file.
Whenever the instruction was in my main nginx.conf file (that is parsed and part of the config), the instruction/test was not taken into consideration.
But as soon as i moved the intruction in mydomain.conf file, then everything was working fine.
I have a server and there is a Nginx in front. There are many requests which some of them contains special word example:
/posts/men/clouths
I have a whitelist ip file also. I want to write a rule in Nginx that if requests contains "men", only allow the request if requester's ip is in whitelist file.
If requests does not contains "men" allow the request anyway.
Done
http {
## load whitelist
map $remote_addr $deny {
default 0;
include /path/to/whitelist.txt;
}
server{
## check
set $is_white_list 0;
if ($request_uri ~ ".*men.*"){
set $is_white_list 1;
}
if ($deny) {
set $is_white_list 1$is_white_list;
}
if ($is_white_list = 1) {
return 403;
}
##// epg check
}
We try to save nginx resources by limiting the number of requests per second:
http {
limit_req_zone $binary_remote_addr zone=gulag:10m rate=2r/s;
server
{
location / {
proxy_pass http://0.0.0.0:8181;
limit_req zone=gulag burst=40;
}
}
}
However, most employees in our company are also heavy users of our own website. Since everyone in the company appear to come from the same ip address were getting 503 errors because nginx thinks all the traffic is coming from one user. Can we add our ip as an exception to the requests per second limit?
Yes, you can. Just a quote from the documentation:
The key is any non-empty value of the specified variable (empty values are not accounted).
So you can achieve your goal by using geo and map modules like this:
geo $limited_net {
default 1;
10.1.0.0/16 0;
}
map $limited_net $addr_to_limit {
0 "";
1 $binary_remote_addr;
}
limit_req_zone $addr_to_limit zone=gulag:10m rate=2r/s;