IP-based access control to Slim endpoints in Nginx

1

Hello,

we need to control what IPs have access to what endpoints implemented in Slim. This is our simplified Nginx setup:

location ^~ /api/v1/foo {
        satisfy any;
        allow FOO_IP;
        # include allowed ips list
		include allowed_ips.conf;

        try_files $uri /public/index.php$is_args$args;
}

location / {
        # include allowed ips list
        include allowed_ips.conf;

        try_files $uri /public/index.php$is_args$args;

        # execute .php files
        include php-slim.conf;
}

As you can see only people in the allowed_ips whitelist have access to slim. Additionally we would like to allow FOO_IP to reach the path /api/v1/foo. However, since the try_files directive in that location is:

try_files $uri /public/index.php$is_args$args;

The request will end up in the location / block and thus we must add FOO_IP also there, effectively granting it access to all other endpoints.

What is the proper pattern for Slim + Nginx in this case ? Thanks a lot for any replies!

EDIT: the allowed_ips.conf file end with a deny all;

2

In the end we solved it with the use of named blocks like this, if anyone ever looks for the same.

location ^~ /api/v1/foo {
        satisfy any;
        allow FOO_IP;
        # include allowed ips list
        include allowed_ips.conf;

        try_files $uri @slim;
}

location / {
        # include allowed ips list
        include allowed_ips.conf;

        try_files $uri @slim;
}

location @slim {
        # execute .php files
        include fastcgi_params;
        fastcgi_index public/index.php;
        fastcgi_param SCRIPT_FILENAME   $document_root/public/index.php;
        fastcgi_param QUERY_STRING    $args;
        fastcgi_pass unix:/run/php/php-fpm.sock;
}

The difference is that the internal redirect points to @slim which cannot be reached unless there is a internal redirect from some other location first. This is different to our previous setup where the / was also the destination of internal redirects as well as the default entry location for the vhost.