Continuing my journey with NGINX, I decided to investigate Access Lists, my goal was to provide fully-qualified domain names to access some of my self-hosted services, but with a catch. I wanted to allow access to several self-hosted services on my internal network without having to plug in an IP:Port combination, but also have the additional security of password authentication when accessing externally from my network.
There were a few issues with this implementation, most notably the fact that when querying a FQDN you are requesting your DNS to resolve the name into an IP, and therefore forcing the request to come from outside - reporting the client with your WAN IP rather than your LAN IP. I will get into how I solved this later, first I want to review how I setup an Access List.
From NGINX navigate to the Access List tab, from here you will "Add Access List". The popup modal provides three tabs requiring configuration for my particular goal.
On the Details tab I configured a name for my Access List, "Local Network or Password", and set the configuration Satisfy Any to enabled.
On the Authorization tab I configured a secure username and password, this would be used by anyone trying to access my service from external to my network (because I am satisfying any of my access rules, not all, so password or network).
On the Access tab I configured a rule to allow any IP on my local network to access the site e.g. 10.0.1.0/24, all IPs from 10.0.1.0 to 10.0.1.255.
Now that the Access List is configured I had to apply it to all appropriate Proxy Hosts within my setup, simply edit the proxy host and choose the Access List name you just created. Note there is an issue here, if you make any changes to the Access List you will have to go back edit/save every Proxy Host using the setting, sites do not appear to inherit the changes and it must be forced via re-saving.
And finally, my Pi-hole issues. As mentioned, since I am querying a FQDN the request goes external and will appear to NGINX to be my WAN IP rather than my LAN IP, it's a simple fix. Within Pi-hole (or wherever you manage DNS in your environment) you will want to define local DNS, so that instead of querying upstream DNS it will look locally. To achieve this in pi-hole, go to Local DNS and configure a local DNS record - point your external service domain name to your internal NGINX solution, not the IP address of the machine running the service - otherwise you'd just be circumventing NGINX entirely.