Home / server / Questions / 1078484
Accepted
Zareh Kasparian
Asked: 2021-09-24 13:01:33 +0800 CST

Nginx stream block with wildcard filtering of subdomains

  • 772

I have set up an Nginx server as L4 Proxy(Forward Proxy With Stream Module), with the following configuration in the nginx.conf file;

stream {
resolver 8.8.8.8;
server {
    listen 443;
    ssl_preread on;
    proxy_connect_timeout 5s;
    proxy_pass $ssl_preread_server_name:$server_port;
  } 
}

everything works fine, with the configuration above. but let's say I want to limit the access of the URLs passing to my proxy server.Not by limiting the IP address but with URL names.
I did a research and setup the following configuration file and somehow I was able to control the URLs passing to my proxy.
But the issue starts from here. If a large website is called, since it has many links or subdomains loaded behind the scene, and knowing that I have limited the URLs allowed to pass, and wildcarding subdomains is not working in stream block, I am not able to load the requested website completely.
Is there a solution to have it used in stream block to support wildcard for subdomain of domain? my new configuration is as below:

stream {


 map $ssl_preread_server_name $name {
     ipchicken.com ipchicken.com;
     www.bbc.com www.bbc.com;
     www.bbc.co.uk www.bbc.co.uk;
     bbci.co.uk bbci.co.uk;
}


server {

    resolver 8.8.8.8;
    listen 443;
    ssl_preread on;
    proxy_connect_timeout 5s;
    proxy_pass $name:$server_port;
   }
 }

 events {
}
nginx transparent-proxy

1 Answers

  1. Best Answer

    You are looking for the hostnames keyword. With this keyword you can use *.example.com as a wildcard entry for example.com domain. Similarly as for server_name directive you can use .example.com for both example.com and *.example.com:

    map $ssl_preread_server_name $name {
    hostnames;
    .ipchicken.com    $ssl_preread_server_name;
    .bbc.com          $ssl_preread_server_name;
    .bbc.co.uk        $ssl_preread_server_name;
    .bbci.co.uk       $ssl_preread_server_name;
}

    As an alternative you can use any regex within the map block, i.e.

    map $ssl_preread_server_name $name {
    # covers 'bbc.com', 'www.bbc.com' and 'static.bbc.com':
    ~^(?:www\.|static\.)?bbc\.com$    $ssl_preread_server_name;
    ...
}
    • 3