Nginx Allow Domain Instead Of IP Address
-
This is kinda what you want to do....
https://mangolassi.it/topic/15008/pihole-for-friends-and-family/
-
Or maybe this?
-
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
This is kinda what you want to do....
https://mangolassi.it/topic/15008/pihole-for-friends-and-family/
Not exactly. In this setup, the server firewall controls who can access. The way I have it setup is that the Nginx config file is managing the allow/deny rules and displays a 403 error for any IP not in the allow list.
Although I suppose that if I can't find a way to have Nginx resolve the IP to manage the allow/deny, this could be an option. Was trying to avoid relying on external functions but this could work at the server level. Only thing is, the visitor won't get the 403 error page.
-
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
Or maybe this?
Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.
-
@nashbrydges said in Nginx Allow Domain Instead Of IP Address:
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
This is kinda what you want to do....
https://mangolassi.it/topic/15008/pihole-for-friends-and-family/
Not exactly. In this setup, the server firewall controls who can access. The way I have it setup is that the Nginx config file is managing the allow/deny rules and displays a 403 error for any IP not in the allow list.
Although I suppose that if I can't find a way to have Nginx resolve the IP to manage the allow/deny, this could be an option. Was trying to avoid relying on external functions but this could work at the server level. Only thing is, the visitor won't get the 403 error page.
What he actually means is that in that thread they setup a method to check DynDNS resolution for updates and then subsequently update the firewall rules for the new IP address. So the only external funciton would be a script on your Nginx box that runs and updates the conf file and then reloads nginx.
-
@nashbrydges said in Nginx Allow Domain Instead Of IP Address:
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
Or maybe this?
Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.
You could simply setup a second URL for external access and use certificate signing on that URL only. not
-
@jaredbusch said in Nginx Allow Domain Instead Of IP Address:
@nashbrydges said in Nginx Allow Domain Instead Of IP Address:
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
Or maybe this?
Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.
You could simply setup a second URL for external access and use certificate signing on that URL only. not
This is an option I hadn't thought of. That could work well.
-
@nashbrydges said in Nginx Allow Domain Instead Of IP Address:
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
Or maybe this?
Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.
You could push the certificate to all the clients, using AD, Salts, etc.
-
@aaronstuder said in Nginx Allow Domain Instead Of IP Address:
Or maybe this?
The person that wrote this guide is such a douche
-
Ok, I just found a ridiculously simple way of doing this. I'll post the how-to in a different thread.
-
