Link Search Menu Expand Document

Create IP tables to enhance security behind CDN

Table of contents

Allow CDN provider’s IP and deny all others to force traffic go via CDN

Note: if you enabled true client IP, this IP table would just block all requests that are coming via CDN IP ranges.

Method 1

  1. Inside the server, create a new file: vim /etc/nginx/cdn-ip-allow.conf

  2. Add all CDN IPs in this cdn-ip-allow.conf file, example for the file:

  allow 192.168.0/0;
  allow 193.168.0/0;
  allow 2c0f:f2d8::/32;
  deny all;
  1. Add below to the server block: vim /etc/nginx/sites-available/example.com

     server {
             listen 80; ## listen for ipv4
             listen [::]:80 default ipv6only=on; ## listen for ipv6
    
             include /etc/nginx/cdn-ip-allow.conf;
             deny all;
     }
    

Method 2

  1. Open the nginx config file: vim /etc/nginx/nginx.conf
  2. Add the below to the config file:

     http {
         # all IPv4 prefix
         allow 192.25.25.0/22;
         # all IPv6 prefix
         allow 192::25::25::0/32;
         deny all;
     }
    
     server {
         server example.com;
         allow 192.25.25.0;
         deny all;
     }
        
     # You can define a specific IP to access `login` area
     location /accounts/login {
         allow 192.25.25.0;
         deny all;
     }