Roadmap Reveal 🗺 What's next for Rocket.Chat, Sep 22

Deny/Allow IP for /admin

/etc/nginx/conf.d

upstream rocket_backend {
  server 127.0.0.1:3000;
}

server {
    listen 443 ssl;
    server_name example.domain.com;
    access_log /var/log/nginx/rocketchat-access.log;
    error_log /var/log/nginx/rocketchat-error.log;
    ssl_certificate /etc/nginx/example.domain.com.crt;
    ssl_certificate_key /etc/nginx/exampler.domain.com.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
    
    location /admin {
       allow 192.168.1.0/24;
       deny all;
    }
    
    location / {
        proxy_pass http://rocket_backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

I can’t get the IP filter to work.

Shouldn’t this be in its own section like location / ??

server {
listen 443 ssl;
blah
}

location /admin {
allow 192.168.1.0/24;
deny all;
}

location / {
blah
}

And check your nginx logs.

What I am trying to do is block access to the admin section for local ips.