6

I have an nginx setup like this, where a server should be mostly private (only certain IP address may use the server), except for one location block which should be publicly available:

server {
  listen  443 ssl default;

  # Allow access only from certain IP addresses
  allow   12.34.56.78/32;
  allow   10.0.2.2/32;
  deny    all;

  # Proxy dynamic requests to the app
  location / {
    proxy_pass  http://127.0.0.1:8000;
  }
  # Serve static assets from disk
  location = /favicon.ico {
    alias  /var/www/example.com/htdocs/static/images/favicon.png;
  }
  location /static {
    alias  /var/www/example.com/htdocs/static;
  }
  ...

  # Allow public access to this endpoint
  location = /public/endpoint {
    proxy_pass  http://127.0.0.1:9000;

    # Allow *all* IPs here, so that they don't hit the server "deny" rule
    # [except this doesn't seem to work...]
    allow 0.0.0.0/0;
  }
}

However, adding that allow rule in the public location block at the end does not work — requests from IPs not in the list above get rejected.

Moving the deny all rule from the server block into each of the non-public location blocks doesn't have the expected effect either.

Is there a way to implement the desired behaviour, without having to copy the entire set of "allow, allow, allow, deny" rules into every non-public location block?

Christopher
  • 165
  • 1
  • 1
  • 6

1 Answers1

4

You should just use allow all

location = /public/endpoint {
    proxy_pass  http://127.0.0.1:9000;

    # Allow *all* IPs here, so that they don't hit the server "deny" rule
    allow all;
}

Also if you use different kind of restrictions, you might need to add satisfy any; for it to work.

Christopher
  • 165
  • 1
  • 1
  • 6
ek9
  • 2,093
  • 4
  • 19
  • 23
  • Thanks. I somehow missed that `all` was an acceptable `allow` option each time I read the documentation. But it seems that that my config was working anyway; a `proxy_intercept_errors` rule was making it look otherwise :) – Christopher May 20 '14 at 09:35