Internal NGINX Reverse Proxy

How Can We Help?

Internal NGINX Reverse Proxy

Created on
Updated
MPHSlaats
You are here:
< Back to the Wiki

Do you want your internal services to be available using your domain? This article will explain how to do just that.

Prerequisites

It is assumed that you already have an NGINX reverse proxy, if not, have a look at this article.

Configuration with Redirect

Create a new file for your domain in the /etc/nginx/sites-available folder and add the following content:

server {
    listen 80;
    listen [::]:80;

    server_name subdomain.mphslaats.com;

    access_log /var/log/nginx/mphslaats_com/subdomain_access.log;
    error_log /var/log/nginx/mphslaats_com/subdomain_error.log;

    if ($internal_access = 0) {
        return 302 https://mphslaats.com;
    }

    location / {
        include params/proxy_params;
        proxy_pass http://127.0.0.1;
    }
}

The if-statement checks whether the requestor is an internal or external client.
If the requestor is internal it is allowed access to the server, otherwise, the requestor is redirected to another server.
To identify if a requestor is internal or external we need an additional configuration. To do this create a new file named /etc/nginx/conf.d/internal_networks.conf:

geo $internal_access {
    # Default: External
    default 0;

    # Internal networks
    10.0.0.0/8 1;
    192.168.0.0/16 1;
    172.16.0.0/12 1;
}

Currently, the file allows all internal networks, make sure to set this to your needs (i.e. internal network and VPN network).

Once satisfied validate the configuration using nginx -t.
If everything looks okay, enable the configuration using nginx -s reload.

Configuration by Blocking

Create a new file for your domain in the /etc/nginx/sites-available folder and add the following content:

server {
    listen 80;
    listen [::]:80;

    server_name subdomain.mphslaats.com;

    access_log /var/log/nginx/mphslaats_com/subdomain_access.log;
    error_log /var/log/nginx/mphslaats_com/subdomain_error.log;

    include params/internal_params;

    location / {
        include params/proxy_params;
        proxy_pass http://127.0.0.1;
    }
}

The requestor will be filtered using the /etc/nginx/params/internal_params file.
Since we do not have this file yet, create it and fill it with the following information:

allow 10.0.0.0/8;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
deny all;

Make sure to scope the allow entries to your needs (i.e. internal network and VPN network).

Once satisfied validate the configuration using nginx -t.
If everything looks okay, enable the configuration using nginx -s reload.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Table of Contents

©  2025 Knowledge Base. Built using WordPress and the Mesmerize Theme