Home / server / Questions / 851943
In Process
Casey
Asked: 2017-05-24 23:54:17 +0800 CST

With nginx, how to restrict access to proxied TCP resources per preread hostname or upstream?

  • 772

The nginx docs and guides show that you can perform ip-based whitelisting/blacklisting inside a stream block.

However, I cannot find out how to allow/deny connections based on ip, for only certain hostnames that are read using ssl preread.

Situation

I have a nginx box that is proxying for many services on a private network. Some of these services should be exposed outside the network, while some should not. This nginx box is proxying both internal and external connections.

# TCP proxying with SSL passthrough & vhosts
stream {
        map $ssl_preread_server_name $name {
            public.example.com      public;
            private.example.com     private;
            default                 default_upstream;
        }

        upstream public {
                server 10.0.0.2:443;
        }

        upstream private {
                server 10.0.0.3:443;
        }

        upstream default_upstream {
                server 10.0.0.4:443;
        }

        server {
                listen      443;
                proxy_pass  $name;
                ssl_preread on;
        }
}

How can I apply ip based blocking to only connections headed for private.example.com?

nginx

2 Answers

  1. I found one simple way how to solve your issue. You should use additional server block to filter IPs. So, your config should looks like this one:

    # TCP proxying with SSL passthrough & vhosts
stream {
        map $ssl_preread_server_name $name {
            public.example.com      public;
            private.example.com     private;
            default                 default_upstream;
        }

        upstream public {
                server 10.0.0.2:443;
        }

        upstream private {
                #server 10.0.0.3:443;
                server 127.0.0.1:444;
        }

        upstream default_upstream {
                server 10.0.0.4:443;
        }

        server {
                listen      444;
                proxy_pass  10.0.0.3:443;
                ssl_preread on;
                deny  192.168.1.1;
                allow 192.168.1.0/24;
                allow 10.1.1.0/16;
                deny  all;
        }

        server {
                listen      443;
                proxy_pass  $name;
                ssl_preread on;
        }
}
    • 2

  2. Try with the below code block.

    Tested and working just fine. Telnet on port 443 will successfully establish but on checking through a web browser you'll notice the connection is being closed for unwanted clients.

    upstream poolwithlocalhostmemberonport_444 {
           server 127.0.0.1:444;
        }
upstream poolwithlocalhostmemberonport_442 {
           server 127.0.0.1:442;
        }



ssl_preread on;
map $ssl_preread_server_name $name {
            host1.com    poolwithlocalhostmemberonport_444;
            host2.com    poolwithlocalhostmemberonport_444;
            default      poolwithlocalhostmemberonport_442;
}

server {
        listen yourfloatingip:443;

        access_log /var/log/nginxsomething.access.log customstreamlogformat;
        error_log /var/log/nginx/something.error.log;


        proxy_protocol on;
        proxy_pass $name;
}

server {
        listen 127.0.0.1:444 proxy_protocol;

        set_real_ip_from 127.0.0.1; #will swap 127.0.0.1 as client addr with $proxy_protocol_addr content

        allow 10.0.0.0/8;
        allow 127.0.0.1;
        allow 1.2.3.4;
        deny  all;

        access_log /var/log/nginx/stream-access-internalfiltered.log customstreamlogformat;
        error_log /var/log/nginx/stream-error-internalfiltered.log;

        proxy_pass yournextupstream;
}

server {
        listen 127.0.0.1:442 proxy_protocol;

        set_real_ip_from 127.0.0.1;

        access_log /var/log/nginx/stream-access-unfiltered.log customstreamlogformat;
        error_log /var/log/nginx/stream-error-unfiltered.log;

        proxy_pass yournextupstream;
}
    • 1