Create IP tables to enhance security behind CDN
Table of contents
Allow CDN provider’s IP and deny all others to force traffic go via CDN
Note: if you enabled true client IP, this IP table would just block all requests that are coming via CDN IP ranges.
Method 1
-
Inside the server, create a new file:
vim /etc/nginx/cdn-ip-allow.conf
-
Add all CDN IPs in this
cdn-ip-allow.conf
file, example for the file:
allow 192.168.0/0;
allow 193.168.0/0;
allow 2c0f:f2d8::/32;
deny all;
-
Add below to the server block:
vim /etc/nginx/sites-available/example.com
server { listen 80; ## listen for ipv4 listen [::]:80 default ipv6only=on; ## listen for ipv6 include /etc/nginx/cdn-ip-allow.conf; deny all; }
Method 2
- Open the nginx config file:
vim /etc/nginx/nginx.conf
-
Add the below to the config file:
http { # all IPv4 prefix allow 192.25.25.0/22; # all IPv6 prefix allow 192::25::25::0/32; deny all; } server { server example.com; allow 192.25.25.0; deny all; } # You can define a specific IP to access `login` area location /accounts/login { allow 192.25.25.0; deny all; }