Nginx reverse proxy restrict access

[toomanylogins]

I am very familiar with Nginx but not in the context of opnsense. I have the reverse proxy working however it is letting traffic through and I don't understand why.

I have single external IP address and production websites prefix www are configured for the Nginx reverse proxy pointing to the orange network a server on 10.10.10.xx

I have another server on my green network used for staging websites these listen on www2. ISP DNS www2 and www both point to my external IP address.

If I use my phone ie not via the internal network and visit site www2 the traffic is routed via Nginx to the green network.

However I do not have nginx Http sever config for www2 only www and even so it is connected to the orange upstream network. So I do not understand how external traffic ends up going to the green network.

Does the Nginx setup ignore the prefix ?

Basically I'm trying to restrict traffic for the live websites or enable staging sites for specific address.

If a request arrives for which there is no matching http server what happens ? I noticed that the www2 are in the nginx log but not in the matching www http server config log. So www2 reguest are routed somewhere by default ?

Apologies if this sounds really convoluted.
Thanks
Paul

[Greelan]

Sounds to me like some form of misconfiguration? I use nginx as a webserver/reverse proxy on other systems, but I imagine that on OPNsense it has the same default server block defined (and if it doesn’t, then standard nginx behaviour is to treat the first server block defined as the default). But in neither case should it be proxying to the www2 server unless it has been configured to do so

[toomanylogins]

I agree. I had a look at /usr/local/etc/nginx/nginx.conf and it is correct. There is no server name defined for www2.mydomain.com only www.

In the firewall I have two rules for WAN on ports 80 and 443 for inbound point to this firewall ie

IPv4 TCP/UDP    *    *    This Firewall    443 (HTTPS)    *    *

There are no other rules for ports 80 and 443.

In my plesk log the traffic for www2 is shown as coming from the firewall.

The other odd thing is that the LE cert is not defined for www2 so I get the warning in the browser there for nginx is not serving the ssl which is correct. No idea how traffic is reaching this server.

Update.

The log of the first server in the list inc the requests for non matching domains

10.10.1.61 - - [18/Mar/2021:11:43:48 +0000] "GET /how-to-claim HTTP/2.0" 200 11687 "-" "Mozilla/5.0 (iPhone; CPU OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/32.1  Mobile/15E148 Safari/605.1.15" "-"

The above is in the access log for www2.domainA.com but the request was www2.domainb.com which does not have an http server.

Enabled extended log. Here is offending line.  "www2.domainb.com" sn="www2.domainA.com"

10.10.1.61 - - [18/Mar/2021:12:09:42 +0000] "GET /modules/mod_improved_ajax_login/cache/275/8fc07486905ddc143c702ba40050de24.png HTTP/2.0" 404 360 "https://www2.domainb.com/who-pays-who" "Mozilla/5.0 (iPhone; CPU OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/32.1  Mobile/15E148 Safari/605.1.15" "-" "www2.domainb.com" sn="www2.domainA.com" rt=0.551 ua="10.10.1.19:80" us="404" ut="0.550" ul="978" cs=-

Does that make sense to anyone.
Thanks

[toomanylogins]

It seems we need a default server for non existent domains

https://stackoverflow.com/questions/9824328/why-is-nginx-responding-to-any-domain-name

see

https://forum.opnsense.org/index.php?topic=20329.0

"nginx listens all addresses if the request arrives and its does not match any Server Names in the config, nginx uses the default server config. for now plugin does not support the directive for specifying the default server, so the first server is taken from the config"

I amended the first server in the list to a domain I am not using without  location and this serves the opnsense 404 page.

[Greelan]

Does nginx.conf have an include directive for a conf directory, so that you could drop a standard default conf in there? On all Linux systems, there is an include directive for /etc/nginx/conf.d/. Not sure what flex the OPNsense plugin gives you

[toomanylogins]

I thought that but read somewhere on here that if you edit the conf file its gets overwritten by the plugin. The plug-in itself does not have the option for an include file.  Setting up the first server in the list using the IP address of the WAN works resolves the problem this captures all of the undefined domain requests. However I have now caused another problem with CloudFront which is giving 502 I suspect because the certificate which CloudFront has probably cached somewhere was attached to the first domain.

[Greelan]

Yeah, after posting I wondered whether the conf may be overwritten