We have a need to restrict access to the Aegir and Octopus satellite hostmaster websites, and have not been successful in following the hints document on adding custom conf files:
***from hints doc***
For Satellite Instances:
# /data/disk/EDIT_USER/config/server_master/nginx/post.d/
#
# For Master Instance:
# /var/aegir/config/includes/

The desired result would be to only allow internal 10.0.0.0/8 networks to the hostmaster websites:
The config in it's simplest form would be:

location / {
allow 10.0.0.0/8;
allow 127.0.0.1;
deny all;
}

Additionally, we want to limit the same access to the admin pages on each Octopus vhost:
The config in it's simplest form would be:

location /admin {
allow 10.0.0.0/8;
allow 127.0.0.1;
deny all;
}

Thanks for the support!

Peace,
Michael Clendening

Comments

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

You shouldn't use locations already present in the default configuration, because Nginx will fail to start, as it doesn't accept duplicate locations.

Furthermore, our standard how-to for extra rewrites will not work here for site-specific configuration, since you would need to make this access directive site/domain specific, while it is not possible to use allow/deny directives inside an if{}, so they would work globally.

You would need to use the vhost injection trick, as explained before a few times.

Check the standard Aegir how-to first: http://community.aegirproject.org/node/70

For Nginx, follow this how-to - we assume that your Octopus system user is standard o1:

$ su -s /bin/bash - o1
$ nano ~/.drush/restricted.drush.inc

Paste there this code:

<?php
function restricted_provision_nginx_vhost_config($uri, $data) {
  if (preg_match("/(?:domain\.com|another-domain\.com)/", $uri)) {
    return array("  allow 10.0.0.0/8;", "  allow 127.0.0.1;", "  deny all;\n");
  }
}

Where domain.com and another-domain.com are domains/subdomains of hostmaster sites you want to control access for with allow/deny directive, globally, so for all locations.

Note that "restricted" part of the function name must match the filename part of the restricted.drush.inc file.

Save the file.

Now re-verify the hostmaster sites you wish to protect so those allow/deny lines will get inserted in the correct vhosts automatically.

To do the same for /admin location for all sites, you would need to hack default templates/includes and remove this location:

###
### Support for backup_migrate module download/restore/delete actions.
###
location ^~ /admin {
  if ($is_bot) {
    return 403;
  }
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}

Then follow the simple how-to and add your own location:

###
### Restricted access to /admin.
###
location ^~ /admin {
  allow 10.0.0.0/8;
  allow 127.0.0.1;
  deny all;
  access_log off;
  set $nocache_details "Skip";
  try_files $uri @drupal;
}
Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Works perfectly, can't thank you enough for the very quick response!

Peace,
Michael Clendening

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented
Status: Active » Fixed

Great!

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Grace, I noticed the procedure given above is writing to the vhost file, which is only configured for port 80. The allow and deny statements are some how being bypassed when https is typed directly into the url from a browser. Where is the proper place to add/hack the nginx conf for denying https from anywhere but the 10.0.0.0/8? Otherwise the procedure given above works fine, including not allowing a redirect to https.

Peace,
Michael Clendening

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

It is /var/aegir/config/server_master/nginx/pre.d/nginx_wild_ssl.conf

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.