Restrict access to Nginx

[ChrisL]

Hi guys,

I feel a bit lost, I hope you can help me out.

I have been using OPNSense for a while now and I'm slowly getting used to it. My latest plugin is Nginx which is supposed to replace my Nginx instance running in a container on my Pi, I want the Pi only to host my actual services. But I don't really get how this fits into my setup.

I'm using the Wireguard plugin, it's on 192.168.200.0/24.

I have four VLAN interfaces.

DMZ 10 - 192.168.10.0/24
Trusted 20 - 192.168.20.0/24
Untrusted 30 - 192.168.30.0/24
Guest 100 - 192.168.100.0/24

I have currently two Upstream servers configured in Nginx. The configuration seems to be working since I can access both from the Trusted network with an Trusted to Any rule in the firewall.

Code: [Select]

Bitwarden 192.168.10.50 8085
Pihole 192.168.10.50 8001

I want to enable access to both Pihole and Bitwarden on port 443 from the Trusted VLAN and through the Wireguard VPN but not from the other VLAN. From what I understand Nginx listens to all interfaces on port 433. Here is my confusing - How do I limit access to it, or rather how do I enable access to it?

• I want to access Pihole and Bitwarden using a subdomain - ph.example.com and bw.example.com. To what IP should these point to? I currently have it point to 192.168.10.1 (DMZ) since it's the default gateway where the services resides.
• What firewall rules do I need? It's working from the Trusted network but it's due to having an any rules which I don't want to have from the Wireguard VPN.

[fabian]

There are some IP based access lists as far as I can remember.