our Nginx config has quite a few server and location declarations. I'm working on adding some whitelisting using deny all and allow x.x.x.x directives. I'm wondering how I can define a global list of IPs and then allow them for multiple sites without listing them all explicitly under every server and location.
In doing some research, it looks like variables are not recommended in the Nginx config due to performance? However, I'm more worried about user error when updating the whitelist causing security issues.
Here is my goal (pseudocode):
set iplist1 [10.1.0.0/16, 100.100.100.100, 200.200.200.200]
#local addresses, remote dev 1, remote dev 2
set iplist2 [10.1.0.0/16, 50.50.50.50, 30.30.30.30]
#local addresses, remote site 1, remote site 2
server {
server_name devportal.domain.com
location / {
allow $iplist1;
deny all;
}
}
server {
server_name siteportal.domain.com
location / {
allow $iplist2;
deny all;
}
}
If it's not recommended to use variables, is there another way to accomplish this? The primary goal being that I don't have to update 10 sites when my whitelist changes.
Put the
setcommands in a file, and include it wherever you want it available.