Make IP limitations on secondary nginx

[fribse]

Is your feature request related to a problem? Please describe.
I'm using this great reverse proxy setup for some internal webservers, it works just perfect for us.

What I've done is that I have the nginx/letsencrypt on a DMZ server, I have another nginx (I'll call this secondary, which is set up with the variables for the nginx/letsencrypt) that does the forward to an internal webserver (IIS).

I need to limit the access to this internal webserver by IP, so I was trying to set it up on the secondary nginx, but this won't work it seems, as it's now seeing the 'nginx/letsencrypt' IP address.

Describe the solution you'd like
A way to use the simple allow/deny of IP address on the secondary somehow.
It's probably me missing something completely.

Describe alternatives you've considered
Can't think of any, except building a seperate server for this.

Additional context

[evertramos]

Hello @fribse, how u doing?

I am not sure if I got this right... you want to:

1. Limit the secondary nginx to only receive request from an specific IP Address, is that correct?

2. The IP address you will allow is a public IP Address?

This next question is more for understanding what you need to accomplish in order to help you out...

3. Will you limit the access to this secondary nginx for security reasons?

If so, you might limit using IPTables, UFW or any firewall, that would be even better then doing that by nginx itself or maybe both, so you will have two layers of security.

in order to forward your external IP address (user IP address) to your internal network/container, you may set this option into your primary nginx proxy at

nginx-proxy-automation/conf.d/realip.conf

Line 16 in 9b9f705

# The option 'set_real_ip_from'

[fribse]

1. Yes
2. Yes
3. Well, not really, it's a customer that doesn't want to pay for security, so I just want some minor limitations :-)

But using the firewall, then that will go for all the proxies I have, so that won't work (I don't have that many yet, but I hope there will be at some point).

My 'project' is called docker-compose-letsencrypt-nginx-proxy-companion , so I guess it's a previous version of this, as I don't see that folder structure here.
So I guess I should 'upgrade' it somehow?

[evertramos]

I think would be a good idea to update it, you can follow here:

https://github.com/evertramos/nginx-proxy-automation/blob/master/docs/upgrade-guide.md

Any issues you might open a discussion for that or an issue.

And the firewall you might specifiy the container network for that and you would block only for that specific container, but you will need to do over iptables, ufw will not work in that case because docker bypass ufw before it reaches your ufw rules.