If you have a server with multiple IPs configured, you may want to limit access to certain instances or even the OPC to specific IP addresses.

Some examples would be to limit access to the OPC to an internal IP address, or you could have an internal instance for staff which you do not want to be accessible to the public. You may also want 2 instances accessible via IP on the same ports.

As Deskpro uses nginx to handle web requests, you will need to modify the server block for your instance or the OPC to specify which IP to listen on.

Before you start

You may want to confirm your existing setup to ensure no other services are listening specifically on that IP or port.

To do this, you can check what services are listening on what ports (and through what IP) with the netstat tool.

netstat -anltp | grep LISTEN
 copy

If netstat isn't installed, it is part of the net-tools package which can be installed with apt install net-tools.

cp /path/to/file{,.bak}
 copy

cp /opt/deskpro/data/opc/services/nginx/conf.d/29080.conf{,.bak}
 copy

Modifying the configuration

You can find your nginx server blocks in the following directories:

OPC

/opt/deskpro/data/opc/services/nginx/conf.d/
 copy

Instances

/opt/deskpro/data/instances/{instance_id}/services/nginx/conf.d/
 copy

(You will need to replace {instance_id} with your Instance ID)

You should have 2 files stored in that directory containing the server blocks for the HTTP and HTTPS configurations for your OPC or instance, which you would need to modify using a text editor such as nano vi or vim

Near the start of the server block, you will need to modify the listen directive to specify what IP and port to listen on. By default, if an IP is not specified, then nginx will assume 0.0.0.0, which means it should listen on ALL IP addresses. To limit this to a single IP, you need to specify in the following format:

listen {ip}:{port} {options};
 copy

As an example, if you wanted to limit access to the IP address 10.0.0.2, on Port 443, which is your ssl port, you would format it as follows:

listen 10.0.0.2:443 ssl;
 copy

You can specify multiple IP addresses with multiple listen directives and configure IPv6 addresses by placing them within square brackets [].

Full documentation on how to use this directive is available in the nginx documentation here.

Applying the configuration

In order for nginx to start using the new configuration, the service must be reloaded.

Before reloading or restarting any services, it is always a good idea to perform a syntax check on the configuration to rule out any syntax errors or typos. This can be done by running the command nginx -t

If you see that the test was successful, it does not necessarily mean that your configuration is correct, but nginx is at least able to parse the file correctly.

You will now need to reload your nginx configuration. This does not stop the service from running, but it will check for any configuration changes and apply them. To reload your nginx configuration, run the following command:

systemctl reload nginx
 copy

If your configuration is broken in any way, nginx will remain on the old configuration and will just fail to reload, so it is always good practice to check to confirm the new configuration has been loaded.

To do that, run the following command to check the status of the service:

systemctl status -l nginx
 copy

If everything was successful, you should see the following lines timestamped at the time you reloaded your configuration:

Reloading A high performance web server and a reverse proxy server.
Reloaded A high performance web server and a reverse proxy server.
 copy

You should now only be able to access your instance or OPC from the IPs specified in your configuration.