SWAG - Restrict access to LAN only

cinimodev · 18 March 2023 22:51

Hello, sorry if this has already been asked. I searched and couldn’t find anything.

I have SWAG setup and everything is working fine. I would like to feed a service through the proxy and use the subdomain for access. But, I would like to restrict access to the service to my LAN only. This is how the SWAG dashboard is configured and I would like to duplicate that for other services.

For example, lets say I have Plex and Overseerr configured to plex. mydomain .com and overseerr .mydomain .com. I would like Plex publicly available for friends/family. But, I would like to restrict Overseerr to my LAN only so only people at my home will make requests while still using overseerr.mydomain.com.

How can I edit the Overseerr SWAG config to restrict access to 192.168.x.0/24?

I attempted to reverse engineer the Dashboard .conf file with no luck.

Thank you.

aptalca · 18 March 2023 23:53

Nginx allow/deny directives: Module ngx_http_access_module

jk2018 · 19 March 2023 01:13

If I understand correctly, you want to deny access outside of your LAN to some services. I implemented a solution for this. I’m not sure if it is the correct solution, but it works for me. I have created a file called “blockwan.conf” with the following lines:

   location @blockwan {
        return 444;
    }

    allow 192.168.1.0/24; #<---Enter your LAN subnet here
    deny all;
    error_page 403 @blockwan;

…And saved it in the nginx folder with the other include files

The “location @blockwan” block sets up a destination returning an error code of 444 (instructs nginx to close the connection without sending a response to the client).

The next block allows the local subnet access to the service, and denies anything else with a 403 error redirecting 444 to the requestor. You can place multiple LAN subnets on separate lines if you need more.

Once I had the file created, I place this as an include in the conf file of whichever service I want to block from the internet. I put this right after the server name in the server block. For example (bitwarden.subdomain.conf):

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    # enable blockwan for blocking WAN access 
    include /config/nginx/blockwan.conf;

    include /config/nginx/ssl.conf;

cinimodev · 19 March 2023 02:29

Thank you, both. I kept searching for solutions for SWAG and I don’t know why it never crossed my mind that it is still just nginx. I was able to solve my problem using these answers.

Thanks again!