How to deny requests that contains a certain header and not coming from whitelisted IPs in nginx?

Question

I would like to double protect an application that uses a custom header to authorize some critical views. Since those calls should only originate from some well-known IPs, I would like to block requests containing this custom header (say X-SuperAdminToken) and not originating from white-listed IPs.

Something like:

if ($http_xsuperadmintoken) {
  allow 192.168.1.0/24;
  allow 10.1.2.3;
  deny all;
}

but it seems that I'm not allowed to put an allow directive inside an if block:

# nginx -t                                                                                                    
nginx: [emerg] "allow" directive is not allowed here in /etc/nginx/sites-  enabled/default:44

I haven't found a workaround for this.

score 2 · Answer 1 · answered Dec 16 '15 at 15:31

You could try something along these lines. You need to add in your own specifics including location block details but this should work

location / {
    error_page 412 = @checkip;
    recursive_error_pages on;

    if ($something) {
        return 412;
    }

}

location @checkip {
    allow 192.168.1.0/24;
    allow 10.1.2.3;
    deny all;
    }

What this does is check for the $something and if return a 412 error, this is then handled by the @checkip block where we then check for the IP address.

How to deny requests that contains a certain header and not coming from whitelisted IPs in nginx?

1 Answers1