Nginx Ip Whitelist

Question

I want to configure my nginx proxy server to only allow certain IPs to access it.

To my knowledge, this is normally done in the config file, with allow and deny list

Answer 1

There are two ways I know you could solve this problem.

1. Allow-list in separated config: Works on all common NginX installs

   You can place all of the allow statements in a simple text file, per site, that contains nothing but allow statements. Include that under the client's server block. Use scripts as needed to alter the list. Finally reload (not restart) the nginx config every time you update the allow list. This might look as follows:

   cat /var/www-allow/client1-allow.conf
   allow 192.168.1.1;
   allow 10.0.0.1;
   
   cat /etc/nginx/sites/client1.conf
   ...
   server {
       include /var/www-allow/client1-allow.conf;
       deny all;
   }
   
   echo Test NginX configuration
   nginx -t
   
   echo Reload NginX configuration (**adjust for your setup**)
   service nginx reload
   

2. Use embedded Lua: Required custom compile of NginX

   Recompile NginX from source with the 3rd party embedded Lua add on module. Use a lua script to actively deny unsupported IP addresses. See the second example under access_by_lua. There are a variety of ways you could use the add on. I suggest using access_by_lua_file to put the lua script in an external location.

Both of these approaches will still require some effort on your part. I don't believe a drop-in solution is already available for your specific objectives.

Answer 2

Maybe nginx.shared.dict (http://wiki.nginx.org/HttpLuaModule#lua_shared_dict) would help you?