Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion

Nginx & OpenVPN confusion
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Nginx & OpenVPN confusion

geodirkgeodirk Member

Hey All,

I'm trying to set up a BigBlueButton (BBB) to only accept VPN connections into it (since BBB doesn't support https out the box). BBB run's under nginx and looking at all the options that I have with it, it looks like using the ALLOW & DENY rules in the configuration would be the easiest to accomplish the task.

From my home ip address, I can use the allow/deny commands as expected; deny gives me a 403 page and allow lets it pass through.

But when I try to access the page through a OpenVPN connection, I can never deny it (which means that if I do a 'deny all' in the config, I'll never be able to 'allow' it later). I modified the landing page's html to report back the visitor's ip and host ip address. As expected, the page reports back just fine the home and VPN's ip addresses for both the visitor's ip and host ip.

From my VPN server's command line, if I 'curl' the domain, I get back that it is denied:

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/0.7.65</center>
</body>
</html>

Is there something different going on with a OpenVPN connection that I don't know about? My VPN client normally connects to the server via port 443. Maybe the requests are not coming to the server via the standard port 80 and that is the reason it isn't being blocked?

I'm baffled as to how to deny the VPN ip.

  • Geodirk

My nginx config file with the allow/deny part at the end of the file:

server {
     listen   80;
     server_name  bbb.mydomain.net;

     access_log  /var/log/nginx/bigbluebutton.access.log;

     # Handle RTMPT (RTMP Tunneling).  Forwards requests
     # to Red5 on port 5080
      location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
          proxy_pass         http://127.0.0.1:5080;
          proxy_redirect     off;
          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

          client_max_body_size       10m;
          client_body_buffer_size    128k;

          proxy_connect_timeout      90;
          proxy_send_timeout         90;
          proxy_read_timeout         90;

          proxy_buffering            off;
          keepalive_requests         1000000000;
      }

     # Handle desktop sharing tunneling.  Forwards
     # requests to Red5 on port 5080.
       location /deskshare {
           proxy_pass         http://127.0.0.1:5080;
           proxy_redirect     default;
           proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
           client_max_body_size       10m;
           client_body_buffer_size    128k;
           proxy_connect_timeout      90;
           proxy_send_timeout         90;
           proxy_read_timeout         90;
           proxy_buffer_size          4k;
           proxy_buffers              4 32k;
           proxy_busy_buffers_size    64k;
           proxy_temp_file_write_size 64k;
           include    fastcgi_params;
       }

    # BigBlueButton landing page.
        location / {
          root   /var/www/bigbluebutton-default;
          index  index.html index.htm;
      expires 1m;

        }

    # Include specific rules for record and playback
        include /etc/bigbluebutton/nginx/*.nginx;

        #error_page  404  /404.html;

        # Redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                root   /var/www/nginx-default;
        }


        #this section defines which ip addresses are allowed to access the server
        #the VPN ip to deny
        deny 149.255.x.x;
        #the HOME ip to allow/deny
        allow 99.114.x.x;
        #deny all;

}

Comments

  • So you are trying to only accept connection made from your VPN's ip address? If that is the case, use iptables instead.

    Thanked by 1geodirk
Sign In or Register to comment.