How to block direct access to backend when frontend has nginx reverse proxy

Question

I have a frontend with an nginx reverse-proxy. Any get request made from it starting with the prefix "api" gets routed to the backend. However I've noticed that this also leads to direct calls to the backend being allowed.

For example, if I click on a button in the frontend (located at "frotend-url") that makes a get request to the backend URI "/api/hello", the proxy turns it into "backend-url/api/hello". However if I make a get request directly from Chrome, curl etc. to "frontend-url/api/hello", this works as well. Is there any way to not allow this?

Would you mind adding your nginx config that's involved with the proxy? — Gerard H. Pille, May 06 '20 at 13:49

score 0 · Answer 1 · answered May 07 '20 at 03:13

the solution I can give is to use iptables to limit access to the backend server directly, here is an example:

# Allow port to spessific IP
iptables -A INPUT -p tcp -s your-Frontend-IP_Address --dport 80 -j ACCEPT #if your API run on port 80

# Then Block access from all
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP

It make port 80 only can accessed for frontend IP.

How to block direct access to backend when frontend has nginx reverse proxy

1 Answers1