Hello,
I want to access from the outside to two applications running on my server through swag/nginx + authelia running as docker containers. I can access without any problem to those applications from an external browser with https://application.mysubdomain.duckdns.org
I want to block all other request which do not match the name of the two defined application.
I wrote the following catch-up.conf file in proxy-confs:
When I call https://unused.mysubdomain.duckdns.org from firefox/win10 nothing happens and after a while I get “The connection has timed out” message
When I call https://unused.mysubdomain.duckdns.org from chrome/win10 I land directly on the “Welcome to your SWAG instance page” and the following entry appears in the nginx/access.log file w.x.y.z - - [07/Feb/2024:18:21:11 +0100] "GET / HTTP/2.0" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
I am unable to explain this difference and I am not too sure that my initial objective is fulfilled.
Any help will be appreciated
im not sure what your goal with server_name - is… what do you expect that to do? if you’re trying to set a default server it’s _ with default_server but the easiest way to accomplish your goal is to NOT make dns records externally for things you dont want externally accessed…
I am trying to block unknown x.x.x.x IP addresses that are showing up in my NGINX access.log file like x.x.x.x - - [07/Feb/2024:18:00:44 +0100] "GET /favicon.ico HTTP/1.1" 200 1448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
I’m not sure why you’re seeing different results in Firefox and Chrome, it could be due to how your network is configured. Have you tried testing from a different network or a hotspot to see if you get the same behavior?
Also, it seems like you might be addressing the wrong server block or accessing it from the wrong location. The welcome page you’re seeing for your unused domain is being served from the site-confs/default.conf file, not from the server blocks in the proxy-conf folder.
Your default.conf file should have a block like this:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /config/www;
index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
[...]
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
}
Here, the reverse proxy subfolder and subdomain rules come after the root block and are processed after the root directory that contains index pages.
Here are my suggestions:
Delete the catch-up.conf file you created in the proxy-conf folder.
Add a 403 rule directly into the root block. If necessary, you can later add a rule for your specific domain before the 403 rule to allow access to the root domain. Make it a definite rule, not a wildcard rule.
Here’s what your updated default.conf file should look like:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /config/www;
# Return 403 Forbidden for requests to the root domain
location = / {
return 403;
}
# Return 403 Forbidden for requests to index files
location ~* (^/(?:index\.html|index\.htm|index\.php)$) {
return 403;
}
# Include subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
}
[...]