IP-Filtering on Apache-nginx-Combo

IP-Filtering on Apache-nginx-Combo

we have the request to secure a domain by restricting access to the ip-ranges of a WAF-Cloud. The server runs Apache for PHP and nginx as reverse-proxy-server, so the chain from browser to website is presumably: Client <-> DNS <-> WAF <-> nginx <-> Apache

From looking in the logs I found that requests fulfilled by nginx do come from the ips of the WAF, that anwered by Apache not (I see my own ip-address in the logs when going to the website). nginx is configured using Plesk to be in proxy mode with smart static files processing.

Applying the directives to Apache (htaccess) leads to 403, which is no suprise because it does not get requests from the WAF-server.

I couldn't apply the directives to nginx using Plesk (Additional directives). This gives me an error message. I tried

location / {
    allow 199.83.128.0/21;
    allow 2a02:e980::/29;
    deny all;
}

nginx: [emerg] duplicate location "/" in /var/www/vhosts/system/example.co/conf/vhost_nginx.conf:1 nginx: configuration file /etc/nginx/nginx.conf test failed

This server runs Plesk 17.8.11, nginx 1.14.2 and Apache 2.4.7 on Ubuntu 14.04.6. This server hosts several domains.

Is the way I try to solve this correct? Why do I get this error?

Adding conf-file of the domain containing location directive:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

server {
    listen 00.000.00.00:443 ssl http2;

    server_name example.com;
    server_name www.example.com;
    server_name ipv4.example.com;

    ssl_certificate             /opt/psa/var/certificates/scfPNclj5;
    ssl_certificate_key         /opt/psa/var/certificates/scfPNclj5;
    ssl_client_certificate      /opt/psa/var/certificates/scf58Rxns;

    client_max_body_size 128m;

    proxy_read_timeout 300;

    root "/var/www/vhosts/example.com/httpdocs";
    access_log "/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log";
    error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";

    if ($host ~* ^superglass\.de$) {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }

    #extension letsencrypt begin
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/vhosts/default/htdocs;

        types { }
        default_type text/plain;

        satisfy any;
        auth_basic off;
        allow all;

        location ~ ^/\.well-known/acme-challenge.*/\. {
            deny all;
        }
    }
    #extension letsencrypt end

    location / {
        proxy_pass https://00.000.00.00:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;

    }

    location /internal-nginx-static-location/ {
        alias /var/www/vhosts/example.com/httpdocs/;
        internal;
    }

    location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
        proxy_pass https://00.000.00.00:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;

    }

    location ~ "^/files/" {
        proxy_pass https://00.000.00.00:7081;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-Accel-Internal /internal-nginx-static-location;
        access_log off;

    }

    add_header X-Powered-By PleskLin;

    include "/var/www/vhosts/system/example.com/conf/vhost_nginx.conf";
}

server {
    listen 00.000.00.00:80;

    server_name example.com;
    server_name www.example.com;
    server_name ipv4.example.com;

    client_max_body_size 128m;

    proxy_read_timeout 300;

    if ($host ~* ^superglass\.de$) {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }

    return 301 https://$host$request_uri;
}

There is another file included in 'var/www/...', which is empty. Probably I should add my stuff there.

답변1

Forget the location setting in "Additional Nginx Directives". Scroll up on Plesk's "Apache & nginx Settings" page to the "Deny access to the site" section. There you can simply enter your IP addresses or IP address ranges that you want to "allow" or "deny" and Plesk will handle it correctly for you regardless of whether you are using Nginx-only or proxy mode.

관련 정보