mirror of https://github.com/opnsense/docs
add nginx IP ACLs (#85)
Fabian Franz BSc
6 years ago
committed by
Franco Fichtner
parent
129710a3cb
commit
1a41ca1d0d
Binary file not shown.
|
After Width: | Height: | Size: 20 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 22 KiB |
@ -0,0 +1,62 @@
|
||||
====================================
|
||||
nginx: IP Based Access Control Lists
|
||||
====================================
|
||||
|
||||
.. Warning::
|
||||
|
||||
Source IPs of UDP may be spoofed because the protocol is connectionless.
|
||||
If there is an attacker who can manipulte your WAN, the attacker can also
|
||||
use any WAN IP which has been whitelisted. It is safer, not to use this
|
||||
as the only protection for your webservices.
|
||||
|
||||
|
||||
Background Information
|
||||
======================
|
||||
|
||||
IP based ACLs can be externally used to allow access (whitelist strategy) to a
|
||||
specific web service only by customers so you can easily get rid of most of the
|
||||
malicious traffic to the application server.
|
||||
This also has some downsides: For example, the site will probably
|
||||
not be visible to search engines and will therefore not be indexed.
|
||||
On the other hand you can also blacklist (blacklist strategy) some bot IPs and
|
||||
some bulletproof_ hosting ranges.
|
||||
|
||||
.. _bulletproof: https://en.wikipedia.org/wiki/Bulletproof_hosting
|
||||
|
||||
Configuration
|
||||
=============
|
||||
|
||||
Create Users
|
||||
------------
|
||||
|
||||
Navigate to the "Accss -> IP ACL" tab.
|
||||
|
||||
.. image:: images/nginx_ip_acl_01_list_view.png
|
||||
|
||||
Click the + button to create a new ACL.
|
||||
|
||||
.. image:: images/nginx_ip_acl_02_create_acl_view.png
|
||||
|
||||
Next enter a reasonable title, for example here "Allow Private IPs" was used.
|
||||
Now the different IP addresses or IP ranges can be entered. In this case some
|
||||
common private IP ranges were allowed and the default rule was set to block.
|
||||
A new line can be added by clicking the + icon while the trash can icon deletes the row.
|
||||
This means that this service should be only visible internally.
|
||||
|
||||
.. Warning::
|
||||
Keep in mind that carrier grade NAT (CGN) may cause some trouble with these
|
||||
ACLs too. Please check how your traffic is handled first.
|
||||
|
||||
|
||||
Assign it to a Location, HTTP or Stream-Server
|
||||
-----------------------------------------------
|
||||
|
||||
In the last step, the user list must be added to the object, that supports it.
|
||||
At the moment this are the HTTP Server, the Stream Server and the HTTP
|
||||
locations. For example to add the ACL to a location, open it and select the
|
||||
ACL in the dropdown:
|
||||
|
||||
.. image:: images/nginx_ip_acl_03_location.png
|
||||
|
||||
After saving the location and restarting nginx, you are done.
|
||||
|
||||
Loading…
Reference in New Issue