Restricting Access by IP Address #356
Description
The Problem
I'm using the reverse proxy to give simple ___domain names to a couple of dozen services all running on docker in my home so I don't have to remember what random port the container's web interface is on. I suspect this use case is quite common (see #137, #135 as similar examples). However, this potentially exposes my proxy hosts to the internet at large, and I don't want public access to these services.
The current Access list will let me put a basic auth "firewall" between the outside world and my private services, but it also complicates access for legitimate access (particularly since password managers can't always fill out basic auth requests, and strong passwords are highly encouraged for anything public).
The Solution
Expand the Access Lists to allow restriction by IP address in addition to basic auth. The NGINX documentation actually has an amazing example that describes exactly what we're after.
I've made a mockup of the revised "New Access List" modal (the HTML can be found in a gist here).
The goal of the UI changes is to keep things simple and approachable even for users who may not understand what's going on under the hood. No other UI changes would be necessary. I'm not certain of the extent of back-end changes required at this point.
Alternatives
This configuration can be achieved by utilizing the advanced -> Custom Nginx Configuration feature already built into the application. However, there are a few issues/concerns with implementing IP restriction this way:
- It requires the user to have an understanding of NGINX configuration
- Changes/updates must be applied to every proxy host individually
- It's not obvious from the proxy hosts list that there is any access control enabled (or conversely if you've forgotten to apply access restrictions to a host)