Hi all! I've been using nginx for a while now and it's a fantastic product!
I've got a reverse proxy setup which provides HTTPS redirection (with an SSL cert self-signed by openssl) via my dyndns provided domain name. This is running on Lubuntu 15.10 (32-bit). I've got the latest nginx installed - running "apt-cache policy nginx" tells me the version is 1.9.3
I'm now in the process of setting up authentication and I've got that mostly working. However I'd like to be able to access the pages via dns name, from my local network without authentication, and only require authentication when I'm accessing it from outside my network.
Below are the three scenarios and outcomes I currently have. I currently need help with scenario 3:
1. From my home PC if I access the nginx server via local IP address (http://192.168.1.x), I get redirected correctly to https://192.168.1.x and don't get prompted for authentication - everything works correctly.
2. From an outside PC, if i access the nginx server via dyndns domain name (http://myname.dyndns.org), I get redirected correctly to https://myname.dyndns.org and DO get prompted for authentication - everything works correctly.
3. From my home PC, if I access the nginx server via dyndns domain name (http://myname.dyndns.org) I get redirected correctly to https://myname.dyndns.org and DO get prompted for authentication - In this case, I shouldn't be prompted for authentication, as I'm accessing the server from my internal network..
I've tried to implement a satisfy any; clause, however I'm not sure it's working correctly..
Can anyone help me out?
Here's my nginx config file:
server {
listen 80;
server_name 192.168.1.x;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name myname.dyndns.org;
return 301 https://$server_name$request_uri;
}
# The above two server blocks simply redirect to the https server block below
server {
server_name myname.dyndns.org 192.168.1.x; #set the servernames to listen for
listen 443 ssl; #Listen for 443/SSL only
ssl_certificate /path/to/my/SSL.crt; #specify an SSL cert
ssl_certificate_key /path/to/my/SSL.key; #SSL cert's key file
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH!MD5;
ssl_session_timeout 120m;
ssl_session_cache shared:SSL:2m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; always"; #Addresses man-in-the-middle attacks for http to https redirection
error_log /var/log/nginx/myname.dyndns.org_auth.log; #error log which is used by fail2ban to ban IPs which wrongly login
auth_basic "Please login.";
auth_basic_user_file /path/to/my/userpasswords.file; #login credentials
satisfy any; #when logging in, either satisfy the ip range below or the credentials (not both)
allow 192.168.1.0/24; #allow only local IPs without authentication
deny all; #force all other IPs to login with authentication
#Root web pages
location / {
root /path/to/my/html/files;
}
location /service1 {
client_max_body_size 10m; # Allows the upload of up to 10MB .nzb files - default is 1MB
proxy_pass http://127.0.0.1:1111;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /service2 {
proxy_pass http://127.0.0.1:2222;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /service3 {
proxy_pass http://127.0.0.1:3333;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Thanks so much for your input.
I primarily want to resolve my authentication issues, but if you've got any pointers on making the above code more efficient/cleaner etc, please let me know.
I've got a reverse proxy setup which provides HTTPS redirection (with an SSL cert self-signed by openssl) via my dyndns provided domain name. This is running on Lubuntu 15.10 (32-bit). I've got the latest nginx installed - running "apt-cache policy nginx" tells me the version is 1.9.3
I'm now in the process of setting up authentication and I've got that mostly working. However I'd like to be able to access the pages via dns name, from my local network without authentication, and only require authentication when I'm accessing it from outside my network.
Below are the three scenarios and outcomes I currently have. I currently need help with scenario 3:
1. From my home PC if I access the nginx server via local IP address (http://192.168.1.x), I get redirected correctly to https://192.168.1.x and don't get prompted for authentication - everything works correctly.
2. From an outside PC, if i access the nginx server via dyndns domain name (http://myname.dyndns.org), I get redirected correctly to https://myname.dyndns.org and DO get prompted for authentication - everything works correctly.
3. From my home PC, if I access the nginx server via dyndns domain name (http://myname.dyndns.org) I get redirected correctly to https://myname.dyndns.org and DO get prompted for authentication - In this case, I shouldn't be prompted for authentication, as I'm accessing the server from my internal network..
I've tried to implement a satisfy any; clause, however I'm not sure it's working correctly..
Can anyone help me out?
Here's my nginx config file:
server {
listen 80;
server_name 192.168.1.x;
return 301 https://$server_name$request_uri;
}
server {
listen 80;
server_name myname.dyndns.org;
return 301 https://$server_name$request_uri;
}
# The above two server blocks simply redirect to the https server block below
server {
server_name myname.dyndns.org 192.168.1.x; #set the servernames to listen for
listen 443 ssl; #Listen for 443/SSL only
ssl_certificate /path/to/my/SSL.crt; #specify an SSL cert
ssl_certificate_key /path/to/my/SSL.key; #SSL cert's key file
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH!MD5;
ssl_session_timeout 120m;
ssl_session_cache shared:SSL:2m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; always"; #Addresses man-in-the-middle attacks for http to https redirection
error_log /var/log/nginx/myname.dyndns.org_auth.log; #error log which is used by fail2ban to ban IPs which wrongly login
auth_basic "Please login.";
auth_basic_user_file /path/to/my/userpasswords.file; #login credentials
satisfy any; #when logging in, either satisfy the ip range below or the credentials (not both)
allow 192.168.1.0/24; #allow only local IPs without authentication
deny all; #force all other IPs to login with authentication
#Root web pages
location / {
root /path/to/my/html/files;
}
location /service1 {
client_max_body_size 10m; # Allows the upload of up to 10MB .nzb files - default is 1MB
proxy_pass http://127.0.0.1:1111;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /service2 {
proxy_pass http://127.0.0.1:2222;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /service3 {
proxy_pass http://127.0.0.1:3333;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Thanks so much for your input.
I primarily want to resolve my authentication issues, but if you've got any pointers on making the above code more efficient/cleaner etc, please let me know.