All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nginx & OpenVPN confusion
Hey All,
I'm trying to set up a BigBlueButton (BBB) to only accept VPN connections into it (since BBB doesn't support https out the box). BBB run's under nginx and looking at all the options that I have with it, it looks like using the ALLOW & DENY rules in the configuration would be the easiest to accomplish the task.
From my home ip address, I can use the allow/deny commands as expected; deny gives me a 403 page and allow lets it pass through.
But when I try to access the page through a OpenVPN connection, I can never deny it (which means that if I do a 'deny all' in the config, I'll never be able to 'allow' it later). I modified the landing page's html to report back the visitor's ip and host ip address. As expected, the page reports back just fine the home and VPN's ip addresses for both the visitor's ip and host ip.
From my VPN server's command line, if I 'curl' the domain, I get back that it is denied:
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/0.7.65</center>
</body>
</html>
Is there something different going on with a OpenVPN connection that I don't know about? My VPN client normally connects to the server via port 443. Maybe the requests are not coming to the server via the standard port 80 and that is the reason it isn't being blocked?
I'm baffled as to how to deny the VPN ip.
- Geodirk
My nginx config file with the allow/deny part at the end of the file:
server {
listen 80;
server_name bbb.mydomain.net;
access_log /var/log/nginx/bigbluebutton.access.log;
# Handle RTMPT (RTMP Tunneling). Forwards requests
# to Red5 on port 5080
location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
proxy_pass http://127.0.0.1:5080;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
keepalive_requests 1000000000;
}
# Handle desktop sharing tunneling. Forwards
# requests to Red5 on port 5080.
location /deskshare {
proxy_pass http://127.0.0.1:5080;
proxy_redirect default;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
include fastcgi_params;
}
# BigBlueButton landing page.
location / {
root /var/www/bigbluebutton-default;
index index.html index.htm;
expires 1m;
}
# Include specific rules for record and playback
include /etc/bigbluebutton/nginx/*.nginx;
#error_page 404 /404.html;
# Redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/nginx-default;
}
#this section defines which ip addresses are allowed to access the server
#the VPN ip to deny
deny 149.255.x.x;
#the HOME ip to allow/deny
allow 99.114.x.x;
#deny all;
}
Comments
So you are trying to only accept connection made from your VPN's ip address? If that is the case, use iptables instead.