0

Situation

I have a Tinyproxy Docker container forwarding traffic on a host. I also have Nginx reverse proxy receiving/passing HTTP/HTTPS connections to other servers on the same host. Tinyproxy and Nginx are on different Docker networks. Nginx and the servers behind it share the same Docker network. If I try to restrict Nginx's incoming connections to connections coming from Tinyproxy, everything works fine. I checked Nginx's logs and saw that all proxied connections were coming from Nginx's gateway, presumably because Docker was handling the routing between its networks. Then I just restricted incoming connections to the gateway on Nginx's server directives:

allow 192.168.10.1;
deny all;

Problem

When I close 80 and 443/tcp ports on my host, Tinyproxy cannot access the servers. My goal is to close 80 and 443/tcp ports and only allow incoming traffic through Tinyproxy to servers behind Nginx.

What I've Tried

Specified Nginx's and Tinyproxy's networks on my UFW rules (ufw allow from 192.168.20.0/24 to 192.168.10.0/24 port 80/tcp; ufw allow from 192.168.20.0/24 to 192.168.10.0/24 port 443/tcp, being 192.168.20.0/24 Tinyproxy's network). No success.

Vinicius Gonçalves Melo
  • 1
  • 1
  • nginx is a full reverse proxy, for what reason you want to use tiny proxy? – djdomi Mar 30 '23 at 17:46
  • @djdomi I'm using Tinyproxy as a forward proxy to limit access to Nginx; one of the apps that are behind Nginx does not support public key for client TLS on auth, so the solution I found was this – Vinicius Gonçalves Melo Mar 30 '23 at 18:14
  • nginx can do basic auth for example – djdomi Mar 30 '23 at 19:37
  • Yes, I just saw that Nginx can also act as a forward proxy... Well, it makes sense to me to have this host's reverse proxy (Nginx) and forward proxy (Tinyproxy) on different Docker networks, so that I can use different services/ports; what I cannot understand is why Tinyproxy's packets are blocked by UFW in this particular case – Vinicius Gonçalves Melo Mar 30 '23 at 19:58
  • Have you tried to put the 'allow' directive AFTER the 'deny all' directive ? – Jérôme Radix Mar 31 '23 at 15:16
  • Hi @JérômeRadix. "The rules are processed in sequence, from top to bottom: if the first directive in the sequence is deny all, then all further allow directives have no effect", from [here](https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-tcp/#restricting-access-by-ip-address). It is working with this Nginx config and 80/443 tcp ports opened on my host; doesn't work if I close 80/443 tcp ports on host - Tinyproxy cannot forward to Nginx, even the containers running on the same host. – Vinicius Gonçalves Melo Mar 31 '23 at 20:09
  • This "logic" hurts mine : how could a "deny all" not denying all if "rules are processed in sequence from top to bottom" and you put "deny all" at the end... – Jérôme Radix Apr 01 '23 at 06:53
  • speculate about something that was not explained leads me to Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers. please provide all the things stated inhere in your question – djdomi Apr 02 '23 at 07:41

0 Answers0