3

For my site I'd like to be able to put up a maintenance 503 page but with a whitelist of ip-addresses that will be able to use the website as normal

Would I have to craft something like this in lua?

I see some questions like

Nginx Ip Whitelist

and

How can I setup a custom 503 error page in NGINX?

which explain how to do this separately but I'd like to kind of combine them so I could take the site offline for the outside world but still be able to test it normally from certain IP addresses

Community
  • 1
  • 1
Neil
  • 5,179
  • 8
  • 48
  • 87

2 Answers2

3

You could use the ngx_http_geo_module:

geo $denied {
    default 1; # nobody is allowed access by default

    # but people from the following networks/ip addresses are allowed access
    include whitelist;
    127.0.0.1      0;
    192.168.1.0/24 0;
}

server {
    location / {
        if ($denied) {
            return 503;
        }
    }
}
Cole Tierney
  • 9,571
  • 1
  • 27
  • 35
  • If is evil in nginx https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/. Also, why use geo when you can just use [ngx_http_access_module](http://nginx.org/en/docs/http/ngx_http_access_module.html)? – bschlueter Aug 31 '17 at 19:13
  • At the top of the "if is evil" page, it is stated that using return with if is 100% safe. – Cole Tierney Sep 01 '17 at 20:16
0

No need for lua, just use the ngx_http_access_module:

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

Works in location blocks as well as any of: http, server, location, limit_except.

If you insist on lua, follow the instructions to get lua working, then you can use something like the example from the openresty readme:

location / {
    access_by_lua_block {
        -- check the client IP address is in our black list
        if ngx.var.remote_addr == "132.5.72.3" then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
    }
}
bschlueter
  • 3,817
  • 1
  • 30
  • 48