Stop NGINX from logging my IP address - nginx

I'd like to stop NGINX from logging my own IP addreess in my access.log Is this possible? I can easily do it in Apache but I haven't been able to find anything like this for NGINX.

This should really be on serverfault so I'll vote for a move.
But I can help a little here.
Short version, no you can't.
Long version. You can hack around it by using different backends for where you log one and don't log the other. Or by creating an extra server on a different port. But there isn't really a clean way of filtering an IP address from the logs.
You can however filter by url, perhaps that is an option for you?

You could create a virtual host that will log only your accesses, while the main log will log the rest. In this case you would access the new virtual host from your machine.
server {
listen 80;
server_name domain.com www.domain.com;
access_log logs/domain.access.log;
Then you create a second one
server {
listen 80;
server_name me.domain.com;
access_log logs/me.domain.access.log;
Or remove the last line.
This way your accesses won't mix with the external accesses.
You have to add me.domain.com in DNS or in your /etc/hosts, with the same IP as the main domain.

Related

Nginx reverse proxy without defining server_name?

I need to access a webserver in a private network, that has no direct access from outside. Opening router ports etc. is not an option.
I try to solve this with a raspi in that network, that i can manage via upswift.io.
Amongst other things, upswift allows temporary remote access to a given port over url's like
http://d-4307-5481-nc7nflrh26s.forwarding.upswift.io:56947/
This will map to a port that i can define.
With this, i can access a VNC Server on the pi, start a browser there and access the webserver i need.
But i hope to find a more elegant way, where i can access the Site from my local browser, and where the Pi does not need to run a Desktop.
As far as i found out, this can be done with a reverse proxy like nginx.
I found a lot of tutorials on it, but i struggle at one point:
After being able to install nginx and accessing it's default index page from my local browser through the temporary upswift.io url, i can't get it to work as reverse proxy.
I think my conf needs to look like
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://192.x.x.2;
}
}
Where example.com would be the name or IP under which the device is accessed.
Now, this would not work for me, as that name is dynamic.
So i wonder if there's a way to configure nginx so it does not need that name. I would expect that is possible, as the default webserver config works without it too. Are reverse proxies different in that regard?
Or, is there a better way than with a reverse proxy to do what i want?
You could try to define it as a default block
server {
listen 80 default_server;
server_name _;
location / {
proxy_pass http://192.x.x.2;
}
}

Redirect to internal local ip and port without using /etc/hosts (nginx)

I have a diy (poor man's) NAS and I can access the file-browser in my home-network by using the ip: 192.168.0.2:1111
I could modify the /etc/hosts in each of my devices to redirect my-fancy-filebrowser-url.com to 192.168.0.2:1111.
However, I want to find an alternative that does not involve modifying the /etc/hosts of each device in my network. I do not want to set up a local dns server either as it will probably slow down the resolution of internet domains, I am using 8.8.8.8 or 1.1.1.1 to resolve domain names quicker.
One of those alternatives I found out, is by using nginx. I have purchased a domain name, let's call it mydomain.com and I have an ipv6 VPS server. I have used cloudflare to redirect a url to my server ipv6 address and I have installed nginx to my VPS and I have created this config file:
http {
# redirect to my router page
server {
listen [d6b6:8760:97ec:ea7a:562c:c954:bb8d:6e41]:80;
return 302 http://192.168.0.1;
}
# redirect to filebrowser
server {
listen [d6b6:8760:97ec:ea7a:562c:c954:bb8d:6e42]:80;
return 302 http://192.168.0.2:1111;
}
}
The redirect to my router admin page is working perfectly as expected (for anyone interested I pointed cloudflare subdomain.mydomain.com to the ipv6 address). But the filebrowser one is not. I suspect it is because I am trying to specify a port to redirect to. Is it possible to do something like this with nginx? Or is there any better alternative that does not involve modifying /etc/hosts or setting your own dns server?
Edit: my bad, I was actually inputting the ipv6 address incorrectly in cloudflare. It was missing 1 digit so it was never going to work. I corrected the ip and it works good. The accepted answer does it more cleverly with urls instead of hardcoding the ipv6 which is a good idea! Just note that if you are using a ipv6 server then you are going to listen in the [::]:80 port
Remove the IPv6 addresses in the listen directive and add server_name directives instead:
http {
# redirect to my router page
server {
listen 80;
server_name router.mydomain.com;
return 302 http://192.168.0.1;
}
# redirect to filebrowser
server {
listen 80;
server_name filebrowser.mydomain.com;
return 302 http://192.168.0.2:1111;
}
}
I do not want to set up a local dns server either as it will probably slow down the resolution of internet domains
This is probably a wrong assumption. Something like dnsmasq is able to resolve local names and forward all other DNS queries to upstream servers (like 8.8.8.8 or 1.1.1.1), caching the results. So when setup properly you wouldn't need a domain or a VPS in this case.

Block direct IP access with NGINX with site behind Cloudflare

I'm trying to block direct IP access with NGINX.
I added the following block
server {
listen 80 default_server;
server_name "";
return 444;
}
I have another server block
server {
listen 80;
server_name aaa.domain.com
...
}
The problem is that after adding the server block for refusing direct IP access, I can no longer access my website via aaa.domain.com
It seems the first server block is catching all requests.
Note, I'm using Cloudflare, and I wonder if it might be related? Perhaps NGINX detects the incoming request from Cloudflare as being of direct IP access and blocks it? If so, how could I solve this?
If it matters, the above server blocks are on different files located in sites-enabled dir.
Cloudflare give the list of IP and ranges. You deny all and you accept traffic from these IPs, and it will work -> https://serverfault.com/questions/601339/how-do-i-deny-all-requests-not-from-cloudflare

Subdomain is unexpectedly resolving despite Nginx not being set up to reverse proxy it

So I have been setting up my home network to host a few websites under a domain (and it's subdomains) using a combination of cloudflare to proxy and provide DDoS protection/HTTPS to the sites, and an Nginx reverse proxy running on my network to allow multiple sites to return from behind the same gateway that the DNS records in cloudflare are pointed at.
For the purposes of this explanation, I will replace my real domain name with [domainNameHere].
The first thing to explain is my DNS setup on cloudflare.
I have 4 CNAME records setup to do the following:
Note that I'm using CNAME records because I do not have a static home IP, therefore I'm using a Dynamic DNS address that resolves to the IP address of my gateway. This same Dynamic DNS address is used in place of an A record as I'm aiming to not need to update A records all the time, and instead just have it resolve via a automatically updating Dynamic DNS record.
[domainNameHere].net - Reverse proxy returns the root site when this domain is requested.
www.[domainNameHere].net - Behaves the same as the above, just there to handle any www requests, the reverse proxy returns the same root site for both wwww and the root domain name.
map.[domainNameHere].net - When this subdomain of [domainNameHere] is called, the reverse proxy instead returns a different site (a map, as you might have guessed).
test.[domainNameHere].net - This is a proxied DNS record setup in cloudflare for future purposes, I do not yet intend for it to actually return a site.
Now, the expected behaviour is that all of these DNS records should currently return a site, expect for test.[domainNameHere].net which shouldn't - I'd expect it to just return a standard ERR_NAME_NOT_RESOLVED like any other DNS record that doesn't actually go anywhere.
Instead though, when test.[domainNameHere].net is used, it returns the root site that [domainNameHere].net and www.[domainNameHere].net resolve to?
Using map, www or the root domain name all return the expected content.
I believe that I have configured something incorrectly in the Nginx settings, below are the two configuration files that are currently in my sites-enabled directory:
server {
listen 80;
listen [::]:80;
root /var/www/html;
index index.nginx-debian.html;
server_name [domainNameHere].net www.[domainNameHere].net;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name test.[domainNameHere].net;
location / {
proxy_pass http://jake-server:8123;
}
}
Is there anything wrong with my Nginx setup? I thought the behaviour would be that if I haven't setup test.[domainNameHere].net within Nginx, then it wouldn't resolve on the reverse proxy and therefore wouldn't return anything, or would just return the Nginx 404/403 page?
Is it maybe something to do with how the first setup file is setup to point to local files on the proxy, rather than using proxy_pass like is usually done in a reverse proxy?
Or is this not an issue with Nginx, and is an issue with how I've set Cloudflare up?

Domain name and port based proxy

I think I finally grasped how Docker works, so I am getting ready for the next step: cramming a whole bunch of unrelated applications into a single server with a single public IP. Say, for example, that I have a number of legacy Apache2-VHost-based web-sites, so the best I could figure was to run a LAMP container to replicate the current situation, and improve later. For argument sake, here is what I have a container at 172.17.0.2:80 that serves
http://www.foo.com
http://blog.foo.com
http://www.bar.com
Quite straightforward: publishing port 80 lets me correctly access all those sites. Next, I have two services that I need to run, so I built two containers
service-a -> 172.17.0.3:3000
service-b -> 172.17.0.4:5000
and all is good, I can privately access those services from my docker host. The trouble comes when I want to publicly restrict access to service-a through service-a.bar.com:80 only, and to service-b through www.foo.com:5000 only. A lot of reading after, it would seem that I have to create a dreadful artefact called a proxy, or reverse-proxy, to make things more confusing. I have no idea what I'm doing, so I dove nose-first into nginx -- which I had never used before -- because someone told me it's better than Apache at dealing with lots of small tasks and requests -- not that I would know how to turn Apache into a proxy, mind you. Anyway, nginx sounded perfect for a thing that has to take a request a pass it onto another server, so I started reading docs and I produced the following (in addition to the correctly working vhosts):
upstream service-a-bar-com-80 {
server 172.17.0.3:3000;
}
server {
server_name service-a.bar.com;
listen 80;
location / {
proxy_pass http://service-a-bar-com-80;
proxy_redirect off;
}
}
upstream www-foo-com-5000 {
server 172.17.0.4:5000;
}
server {
server_name www.foo.com;
listen 5000;
location / {
proxy_pass http://www-foo-com-5000;
proxy_redirect off;
}
}
Which somewhat works, until I access http://blog.bar.com:5000 which brings up service-b. So, my question is: what am I doing wrong?
nginx (like Apache) always has a default server for a given ip+port combination. You only have one server listening on port 5000, so it is your defacto default server for services on port 5000.
So blog.bar.com (which I presume resolves to the same IP address as www.foo.com) will use the default server for port 5000.
If you want to prevent that server block being the default server for port 5000, set up another server block using the same port, and mark it with the default_server keyword, as follows:
server {
listen 5000 default_server;
root /var/empty;
}
You can use a number of techniques to render the server inaccessible.
See this document for more.

Resources