I would like to double protect an application that uses a custom header to authorize some critical views. Since those calls should only originate from some well-known IPs, I would like to block requests containing this custom header (say X-SuperAdminToken) and not originating from white-listed IPs.
Something like:
if ($http_xsuperadmintoken) {
allow 192.168.1.0/24;
allow 10.1.2.3;
deny all;
}
but it seems that I'm not allowed to put an allow directive inside an if block:
# nginx -t
nginx: [emerg] "allow" directive is not allowed here in /etc/nginx/sites- enabled/default:44
I haven't found a workaround for this.