Sling Academy
Home/DevOps/NGINX: How to accept only local requests

NGINX: How to accept only local requests

Last updated: January 20, 2024

Introduction

NGINX is a versatile web server that can be configured for various networking scenarios. One common requirement, especially in development environments or APIs meant for internal use, is to configure NGINX to accept requests only from local clients. The following tutorial will walk you through setting up your NGINX server to restrict access to local network requests.

Basic NGINX Configuration

Let’s start with a basic NGINX setup and then explain how to modify it to restrict access:

server {
    listen 80;
    server_name localhost;
    location / {
        root /var/www/html;
        index index.html index.htm;
    }
}

In the above configuration, NGINX serves content from the /var/www/html directory on HTTP port 80. Requests from any client are accepted.

Restricting Access by IP

To restrict access to local requests, you need to specify which IP addresses are considered ‘local.’ The most straightforward case is allowing only the localhost (127.0.0.1).

server {
    listen 80;
    server_name localhost;
    location / {
        allow 127.0.0.1;
        deny all;
        root /var/www/html;
        index index.html index.htm;
    }
}

This configuration will ensure that only requests originating from the server itself (localhost) will be processed.

Access for Localhost and Local Network

What if you want to allow not just the localhost, but an entire local network? For example, you might want to allow the 192.168.1.0/24 subnet.

server {
    listen 80;
    server_name localhost;
    location / {
        allow 127.0.0.1;
        allow 192.168.1.0/24;
        deny all;
        root /var/www/html;
        index index.html index.htm;
    }
}

Now, NGINX will serve requests from localhost and any machines on the 192.168.1.xxx network.

Advanced Configuration Using Geo Module

For more complex scenarios or dynamic IP handling, you can use NGINX’s Geo module. This module allows you to define variables based on the client’s IP address, which you can then use in your access rules. Here is how you can set it up:

http {
    geo $local_network {
        default         0;
        127.0.0.1      1;
        192.168.1.0/24 1;
    }
    server {
        listen 80;
        server_name localhost;
        location / {
            if ($local_network = 0) {
                return 403;
            }
            root /var/www/html;
            index index.html index.htm;
        }
    }
}

In this configuration, requests are checked against the Geo module’s $local_network variable. If a request does not come from the listed IP addresses (0 indicates no match), NGINX returns a 403 Forbidden error.

Securing NGINX with HTTPS

For added security, especially when handling sensitive internal information, consider using HTTPS (SSL/TLS) for your requests. You can still apply local request restrictions over an encrypted connection.

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    location / {
        allow 127.0.0.1;
        deny all;
        root /var/www/html;
        index index.html index.htm;
    }
}

After generating your certificates and configuring SSL settings, you simply add the allow and deny directives to enforce local access under the secure protocol.

Testing the Configuration

After any changes to the NGINX configuration, you should test to ensure there are no syntax errors:

sudo nginx -t

If the configuration test is successful, you will see an output like:

nginx: configuration file /etc/nginx/nginx.conf test is successful

Once the configuration is confirmed to be correct, reload NGINX to apply the changes:

sudo systemctl reload nginx

Now you can verify that the server is only accepting local requests by using tools like curl from a remote host and seeing that the access is denied:

curl http://localhost/ # Should be available locally

curl http://[your-server-ip]/ # Should deny access

Conclusion

In this tutorial, we’ve looked at how you can configure your NGINX server to accept only local requests. By utilizing NGINX’s access rules with the allow and deny directives, and potentially the Geo module for more complex configurations, you can ensure that your server’s content is accessible solely within a local network environment.

Next Article: How to Configure Timeouts in NGINX

Previous Article: NGINX Mail Core Module: The Complete Guide

Series: NGINX Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide