Created
October 4, 2023 19:21
-
-
Save majudhu/f7e7fa4c9429aa4a5ece73a98c6afe20 to your computer and use it in GitHub Desktop.
nginx geo whitelist and ssl snakeoil
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl req -x509 -newkey rsa:4096 -nodes -sha256 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -days 3650 -subj "/CN=<$PUBLIC_IP_ADDRESS>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
geo $http_cf_connecting_ip $allowedip { | |
default 0; | |
1.2.3.4 1; | |
5.6.7.8 1; | |
} | |
server { | |
set_real_ip_from 0.0.0.0/0; | |
real_ip_header CF-Connecting-IP; | |
if ($allowedip = 0){ | |
return 403; | |
} | |
listen 80 default_server; | |
server_name _; | |
client_max_body_size 100M; # allow huge uploads, upto 100MB | |
root /home/user/app/public; # serve static files from public dir with nginx | |
try_files $uri @next; # serve static files with nginx, fallback to nextjs on not found | |
location @next { | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $http_cf_connecting_ip; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://127.0.0.1:3000; | |
} | |
#location /api { | |
# include proxy_params; | |
# proxy_pass http://127.0.0.1:3001; | |
#} | |
#location /images/ { | |
# root /home/user/app/public/; # will serve files in /path/to/public/images | |
#} | |
listen 443 ssl default_server; | |
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; | |
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
set_real_ip_from 0.0.0.0/0;
real_ip_header CF-Connecting-IP;
allow 1.2.3.4;
deny all;
https://www.cloudflare.com/ips-v4/
https://www.cloudflare.com/ips-v6/