nginxproxy limit access by ip

[crossing]

I see limit by ip on .htaccess file fail to load the site if nginxproxy, for example adding this in .htacess will not load the site at all :

# ALLOW USER BY IP
<Limit GET POST>
 order deny,allow
 deny from all
 allow from xx.xxx.x.xxx
</Limit>

How will I make this work using Kloxo-MR nginxproxy for specified domain?

I understand I have to add no nginx config file :

location / {
  allow   192.168.1.0
  deny    all;
}


but where is that file for each domain ?

[crossing]

I have found config file for each domain /home/nginx/conf/domains/mydomain.com.conf  and added at the bottom a test fake ip just to see if I can access the site and has no effect:


    location / {
     deny all;
     allow 26.105.94.7;
}

and I get on service nginx restart ->   -----nginx: [emerg] "location" directive is not allowed here in /home/nginx/conf/domains/flexijob.ro.conf:61-----


What I do wrong ?

[MRatWork]

Did you run 'sh /script/restart-services' after modified?.

[crossing]

I just did but has no effect.

Acually the file in question  domain /home/nginx/conf/domains/mydomain.com.conf does not support this type of code :

# location / {
# deny all;
# allow 26.105.94.7;
#}


but only

location / {
deny all;
allow 26.105.94.7;
}

which fail, gives this error on service nginx restart  -nginx: [emerg] "location" directive is not allowed here in /home/nginx/conf/domains/flexijob.ro.conf:61

It looks like I work on the wrong file.

[MRatWork]

Inform here your /home/nginx/conf/domains/mydomain.com.conf after add code.

[crossing]

Code: [Select]

### begin - web of 'flexijob.ro' - do not remove/modify this line


## web for 'flexijob.ro'
server {
    listen 0.0.0.0:80;
    listen [::]:80;

    server_name flexijob.ro www.flexijob.ro;

    index index.php index.html index.shtml index.htm default.htm Default.aspx Default.asp index.pl;

    set $domain 'flexijob.ro';

    set $rootdir '/home/admin/flexijob.ro';

    root $rootdir;

    set $user 'admin';

    set $fpmport '57797';

    include '/home/nginx/conf/globals/proxy.conf';

    include '/home/nginx/conf/globals/generic.conf';
}


## webmail for 'flexijob.ro' handled by ../webmails/webmail.conf


## web for 'flexijob.ro'
server {
    listen 0.0.0.0:443;
    listen [::]:443;

    ssl on;
    ssl_certificate /home/kloxo/httpd/ssl/eth0_0___localhost.crt;
    ssl_certificate_key /home/kloxo/httpd/ssl/eth0_0___localhost.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    server_name flexijob.ro www.flexijob.ro;

    index index.php index.html index.shtml index.htm default.htm Default.aspx Default.asp index.pl;

    set $domain 'flexijob.ro';

    set $rootdir '/home/admin/flexijob.ro';

    root $rootdir;

    set $user 'admin';

    set $fpmport '57797';

    include '/home/nginx/conf/globals/proxy.conf';

    include '/home/nginx/conf/globals/generic.conf';
}

## webmail for 'flexijob.ro' handled by ../webmails/webmail.conf


### begin - web of 'flexijob.ro' - do not remove/modify this line

 location / {
 deny all;
 allow 26.105.94.7;
}


[crossing]

I even try it to insert it in server block :

Code: [Select]

# begin - web of 'flexijob.ro' - do not remove/modify this line

## web for 'flexijob.ro'
server {
    listen 0.0.0.0:80;
    listen [::]:80;

    server_name flexijob.ro www.flexijob.ro;

    index index.php index.html index.shtml index.htm default.htm Default.aspx Default.asp index.pl;

    set $domain 'flexijob.ro';

    set $rootdir '/home/admin/flexijob.ro';

    root $rootdir;

    set $user 'admin';

    set $fpmport '57797';

    include '/home/nginx/conf/globals/proxy.conf';

    include '/home/nginx/conf/globals/generic.conf';
    location / {
      allow 11.234.23.4;
      deny all;
    }
}


## webmail for 'flexijob.ro' handled by ../webmails/webmail.conf


## web for 'flexijob.ro'
server {
    listen 0.0.0.0:443;
    listen [::]:443;

    ssl on;
    ssl_certificate /home/kloxo/httpd/ssl/eth0_0___localhost.crt;
    ssl_certificate_key /home/kloxo/httpd/ssl/eth0_0___localhost.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    server_name flexijob.ro www.flexijob.ro;

    index index.php index.html index.shtml index.htm default.htm Default.aspx Default.asp index.pl;

    set $domain 'flexijob.ro';

    set $rootdir '/home/admin/flexijob.ro';

    root $rootdir;

    set $user 'admin';

    set $fpmport '57797';

    include '/home/nginx/conf/globals/proxy.conf';

    include '/home/nginx/conf/globals/generic.conf';
}

## webmail for 'flexijob.ro' handled by ../webmails/webmail.conf


### begin - web of 'flexijob.ro' - do not remove/modify this line



ip restriction still not work and 'service nginx restart' shows '
nginx: [emerg] duplicate location "/" in /home/nginx/conf/domains/flexijob.ro.conf:25
'

[MRatWork]

If 'location /' not work because already define in '/home/nginx/conf/globals/proxy.conf' (for nginx-proxy) or '/home/nginx/conf/globals/php-fpm.conf' (for nginx alone).

Copy proxy.conf to custom.proxy.conf or php-fpm.conf to custom.php-fpm.conf and add your code inside custom file. After that, run 'sh /script/fixweb; sh /script/restart-web'.

[crossing]

"Copy proxy.conf to custom.proxy.conf" you mean to copy content of /home/nginx/conf/globals/proxy.conf  (nginxproxy for my case) to /home/nginx/conf/domains/mydomain.com.conf  ? If so,  I should delete proxy.conf after that ?

[crossing]

Because there is no custom.proxy.conf file on my server.

[MRatWork]

Because there is no custom.proxy.conf file on my server.

Yes.

Template-based config have a 'rule'. Every file inside /home/<webserver>/tpl and /home/<webserver>/conf/globals able to copy to custom.* file and then Kloxo-MR will read this custom file instead original. So, if copy proxy.conf to custom.proxy.conf Kloxo-MR will be read custom.proxy.conf rather than proxy.conf.

That it.

[MRatWork]

Why need custom.proxy.conf and why not modified proxy.conf?.

The reason is update Kloxo-MR and running cleanup will be overwrite proxy.conf.

[crossing]

Ok, so what I did is to create 'custom.proxy.conf' here  '/home/nginx/conf/globals/' and paste inside the code from  '/home/nginx/conf/globals/proxy.conf'  . Then I added this lines at the bottom inside 'custom.proxy.conf'

Code: [Select]

location /flexijob.ro {
      allow 11.234.23.4;
      deny all;
 , now the code look like this :

   

Code: [Select]

proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;

    ## MR - increasing upload size to 64M (declare inside 'location /' not work
    client_max_body_size 64M;
    client_body_buffer_size 128k;

    proxy_connect_timeout 180s;
    proxy_send_timeout 180s;
    proxy_read_timeout 180s;
    #proxy_buffers 32 4k;
    proxy_buffers 8 128k;
    proxy_buffer_size 128k;

    ### MR -- change enable = @wp when using wordpress
    error_page 404 /404.html;

    location = /404.html {
        root '/usr/share/nginx/html';
    }

    error_page 500 502 503 504 /50x.html;

    location = /50x.html {
        root '/usr/share/nginx/html';
    }

    ### MR -- must be using nginx-special (including ngx_purge_cache)
    location ~ /purge(/.*) {
        ### MR -- just enough remove # below for enable
        #proxy_cache_purge pcache "$scheme://$host$1$request_method";
        allow 127.0.0.1;
        deny all;
    }

    location / {
        limit_conn addr 25;

        ## MR - no need try_files because permalink handle by apache
        #try_files $uri $uri/ /index.php;

        proxy_pass http://127.0.0.1:30080/;

        proxy_redirect off;

        ## MR - change $host to $domain importance for access via ip on exclusive ip domain but add X-Host still with $host
        proxy_set_header Host $domain;
        proxy_set_header X-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-For $remote_addr;
   
        proxy_pass_header Set-Cookie;

        proxy_headers_hash_max_size 512;

        ### MR -- just enough remove # below for enable cache
        #proxy_cache pcache;
        proxy_cache_valid 10m;
        proxy_cache_valid 404 1m;

        proxy_cache_key "$scheme://$host$request_uri";

        proxy_cache_use_stale error timeout invalid_header
                              http_500 http_502 http_504 http_404;

        open_file_cache max=1024 inactive=600s;
        open_file_cache_valid 2000s;
        open_file_cache_min_uses 1;
        open_file_cache_errors on;
    }

    ### MR -- Enable this if not using nginx cache and not for wordpress
#    location ~* ^.+.(jpe?g|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|avi|mp3)$ {
#        expires 2d;
#        access_log off;
#        root $rootdir;
#    }

    location ~ /.ht {
        deny all;
    }

    if (-f $request_filename) {
        break;
    }
 
    if (-d $request_filename) {
        break;
    }

    location /flexijob.ro {
      allow 11.234.23.4;
      deny all;
    }

then run 'sh /script/fixweb; sh /script/restart-web'.

but still fail to block access to my site.

[MRatWork]

What you mean 'location /flexijob.ro'?. Every domain have '/flexijob.ro' directory?.

[crossing]

I'am targeting only flexijob.ro to limit acces based on IP. I removed and left only

Code: [Select]

location / {
      allow 11.234.23.4;
      deny all;
    }
but I still have access to the site.