Nginx Allow Domain Instead Of IP Address

NashBrydges

I've easily setup the allow/deny rules in Nginx config files to limit access to a particular site based on IP address but what I'm trying to figure out is if there's a way to have similar rules based on domain names. I have a client who wants to limit access to his company portal to his satellite offices however still wants access from home for he and his executive team which are obviously dynamic IP addresses. He's already setup a DDNS service and can resolve his home IP address from the domain name. I'd like to be able to force Nginx to also resolve the IP based on that same domain name.

Anyone ever successfully set that up? My google-fu is failing me on this one.

Alex Sage

This is kinda what you want to do....

https://mangolassi.it/topic/15008/pihole-for-friends-and-family/

Alex Sage

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

NashBrydges

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

This is kinda what you want to do....

https://mangolassi.it/topic/15008/pihole-for-friends-and-family/

Not exactly. In this setup, the server firewall controls who can access. The way I have it setup is that the Nginx config file is managing the allow/deny rules and displays a 403 error for any IP not in the allow list.

Although I suppose that if I can't find a way to have Nginx resolve the IP to manage the allow/deny, this could be an option. Was trying to avoid relying on external functions but this could work at the server level. Only thing is, the visitor won't get the 403 error page.

NashBrydges

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.

JaredBusch

@nashbrydges said in Nginx Allow Domain Instead Of IP Address:

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

This is kinda what you want to do....

https://mangolassi.it/topic/15008/pihole-for-friends-and-family/

Not exactly. In this setup, the server firewall controls who can access. The way I have it setup is that the Nginx config file is managing the allow/deny rules and displays a 403 error for any IP not in the allow list.

Although I suppose that if I can't find a way to have Nginx resolve the IP to manage the allow/deny, this could be an option. Was trying to avoid relying on external functions but this could work at the server level. Only thing is, the visitor won't get the 403 error page.

What he actually means is that in that thread they setup a method to check DynDNS resolution for updates and then subsequently update the firewall rules for the new IP address. So the only external funciton would be a script on your Nginx box that runs and updates the conf file and then reloads nginx.

JaredBusch

@nashbrydges said in Nginx Allow Domain Instead Of IP Address:

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.

You could simply setup a second URL for external access and use certificate signing on that URL only. not

NashBrydges

@jaredbusch said in Nginx Allow Domain Instead Of IP Address:

@nashbrydges said in Nginx Allow Domain Instead Of IP Address:

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.

You could simply setup a second URL for external access and use certificate signing on that URL only. not

This is an option I hadn't thought of. That could work well.

Alex Sage

@nashbrydges said in Nginx Allow Domain Instead Of IP Address:

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.

You could push the certificate to all the clients, using AD, Salts, etc.

Emad R

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

The person that wrote this guide is such a douche

NashBrydges

Ok, I just found a ridiculously simple way of doing this. I'll post the how-to in a different thread.

Alex Sage

https://mangolassi.it/topic/15267/how-to-allow-site-access-in-nginx-by-ddns-instead-of-by-ip