restrict access to the admin url by ip in django with nginx and gunicorn

I am trying to restrict access to the admin section of my django app by using simple host-based access control in nginx. Unfortunately nginx does not seem to abide by the configuration request:

this is my setting for this particular section in nginx:

# gunicorn setup
location / { proxy_pass proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /admin/ { # restrict access to admin section allow 192.168.0.1; deny all; }

This does still block my ip 192.168.0.1. What am I doing wrong? Is there another way to block access to the /admin/ section of a django app?

2 Answers

I found a solution to this problem by replacing the /admin/ location with the following:

location ^~ /admin/ { # restrict access to admin section proxy_pass proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; allow 192.168.0.1; deny all;
}

I hope this will save someone some long searches on the internet. I would appreciate answers offering a better solution.

1

If you are using an AWS Load Balancer
Then you will run into an issue where the IP being passed is not the client IP but rather the IP of the LB.

You will need a different blocking mechanism here.Do the following precisely.

Add the following to the top level http block:

 # The X-Forwarded-For is the client IP which is what we need insted of the
# load balancer IP
real_ip_header X-Forwarded-For;
set_real_ip_from 10.0.0.0/8;
log_format main '$remote_addr - $remote_user $time_local ' '"$request" $status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' ;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

Add the following to the server block. replace that x.x.x.x with your VPN or whitelisted IP. For example: ?44\.231\.29\.79?$

# Only allow access to admin panel through VPN IP
location ^~ /admin/ { # restrict access to admin section proxy_pass proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; set $allow false; if ($http_x_forwarded_for ~ " ?x\.x\.x\.x?$") { set $allow true; } if ($http_x_forward_for ~ " ?x\.x\.x\.x$") { set $allow false; } if ($allow = false) { return 403; }
} 

Answer taken from AWS forum

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like