3

We have Heroku app on http://random-heroku-app.herokuapp.com and access to it(using HTTPS) must be limited to just 2 IPs. Nginx with it's allow function is perfect here.

But is it possible to deploy Nginx in AWS and configure it so that it would be "in front" of Heroku app?

Example: If I go to http://random-heroku-app.herokuapp.com, Nginx firstly is going to check if I am trying to connect from allowed IP and only then, proxy me to http://random-heroku-app.herokuapp.com.

Thank you in advance!

DimonVersace
  • 83
  • 7
  • are you using https://github.com/heroku/heroku-buildpack-nginx? The ip `allow` and `deny` don't work for me at all. – new2cpp Jan 26 '19 at 10:11
  • one does realize this is security through obscurity? random-heroku-app.herokuapp.com is going to be 24/7 publicly facing. All one needs to do is hit heroku's proxies with a dictionary attack and they would have found your application. Better to ensure your app/api can be accessed only with a valid saml/jwt/oauth token then put it behind cloudflare where one has a full waf, cdn, logging, and firewall. – Dwight Spencer Nov 09 '20 at 08:45

1 Answers1

0

Sure thing!

You'll just need a server block inside of nginx, that would look something like that:

server {
    listen 443 ssl;
    server_name random-heroku-app.herokuapp.com;
    ssl_certificate .ssl/cert.crt;
    ssl_certificate_key .ssl/key.key;

    allow   publicip;
    deny    all;

    location / {
        proxy_pass https://appip:443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
Tamerlan Abu
  • 116
  • 4
  • Thanks! Will try it out soon and will get back to you with answer. – DimonVersace Apr 14 '17 at 10:12
  • So I've checked the current config and it's not working. Does certificates are mandatory for this(they are on the other herokuapp server and I don't know how to retrieve them)? – DimonVersace Apr 17 '17 at 16:39
  • They are. You nginx frontend is the one that establishes https connection. What error do you receive? – Tamerlan Abu Apr 18 '17 at 05:10
  • Don't receive any. I've used my AWS EC2 which have Nginx installed and just added new file in site-available(made a symlink in sites enabled too) with your proposed configurations. Nginx restarts. I guess I need to retrieve certs from Heroku app server? – DimonVersace Apr 18 '17 at 06:49
  • Did you forward your domain name to your new nginx-instance? – Tamerlan Abu Apr 18 '17 at 07:44
  • Am I able to forward `herokuapp` domain(not owned by me) name to my AWS instance? – DimonVersace Apr 18 '17 at 17:44
  • No idea. You can check whether or not it's working by adding IP and domain in your local 'hosts' file. If it does work, you could use a different domain name for your needs: https://devcenter.heroku.com/articles/custom-domains – Tamerlan Abu Apr 19 '17 at 05:23