sheppy/athq-vm-management
1
0
Fork 0
mirror of https://github.com/FAUSheppy/athq-vm-management synced 2026-04-26 22:02:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: nginx stream level ip blocking

Browse Source
This commit is contained in:
Johnathen Sheppard
2026-03-21 13:31:39 +00:00
parent 7905ca68a9
commit e84e47cb18
1 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
templates/nginx_stream_ssl_map.conf.j2
View File

@@ -5,14 +5,45 @@ map $ssl_preread_server_name $proxy_name {
{% endfor %} {% endfor %}
} }
geo $priviledged_networks {
default 0;
127.0.0.0/24 1;
159.69.136.222 1; # atlantishq
95.217.57.49 1; # atlantis-helsinki
142.132.212.54 1; # katzencluster
10.0.0.0/8 1; # wireguard & k3s
192.168.122.0/24 1; # atlantishq-vms
192.168.123.0/24 1; # katzencluster-vms
192.168.124.0/24 1; # athq-helsinki-vms
192.168.125.0/24 1; # reserved/vm test net
135.181.80.154 1; # postgres master
46.62.175.169 1; # postgres replica
}
map $block_connection $proxy_target {
1 127.0.0.1:1; # blackhole (connection fails)
0 $proxy_name;
}
map $ssl_preread_server_name $is_restricted {
default 0;
~^immich-ml\.services\.atlantishq\.de$ 1;
}
map "$is_restricted:$priviledged_networks" $block_connection {
default 0;
"1:0" 1;
}
server { server {
listen 443 ; listen 443 ;
listen [::]:443 ; listen [::]:443 ;
proxy_timeout 5m; proxy_timeout 5m;
proxy_responses 1; proxy_responses 1;
ssl_preread on; ssl_preread on;
proxy_pass $proxy_name; proxy_pass $proxy_target;
} }