Whitelisting IPs using NGINX Home Assistant SSL proxy

So I’m using the official NGINX Home Assistant SSL proxy add-on and everything is working fine. Since I’m willing to expose HA to the internet (with the Add-on being the reverse proxy), I’d like to only allow incoming traffic from one single external IP address.

With nginx I’d just set “allow” within the configuration. But since NGINX Home Assistant SSL proxy is configured via YAML, I’m not quite sure, where and how to add this setting.

Thanks for any advice.

I use this in configuration.yaml

http:
  base_url: https://my.subdomain.net
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.2.1
  ip_ban_enabled: true
  login_attempts_threshold: 3

Which ensures only my NGINX server (199.168.2.1) proxying for https://my.subdomain.net gets through , and more than 3 incorrect logins will ban the [remote] client.

Aside, why would you have a reverse proxy on the same box as the remote host ? and , what do you mean by “expose” - not port forwarding me hopes , otherwise you have an overkill .

I want to have a nginx on a VPS that will forward traffic to the internal ngiinx. For this to work, I plan to forward tcp/443 to the internal nginx. That’s why I want my internal nginx to only respond/allow connections from the nginx installed on the VPS in the public internet.

But reading the source code of the add-on, I think I know how to set it up.

I have the same setup, almost.
My nginx is on Digital Ocean in a Droplet. I run a IPsec/L2TP VPN (very fast). So the droplet is a homebrew VPS+nginx server. It forwards traffic - from only my subdomain - onto the VPN and into my LAN.

So what is the purpose of another nginx on your LAN ? Your VPS running nginx and VPN could do exactly the same and much faster ??
Is this external IP you use, your subdomain or an ISP IP , or …??

Finally, that yaml code above, if you change the IP address to your external IP then HA will only allow incoming connections from that IP [presume it’s static]?

Well the internal nginx is there at no costs (it’s the HA add-on managing SSL and is only accessible in the LAN). Yes the IP is static for my VPS.
I was also thinking of connecting from inside to VPS via VPN. Maybe I’ll check this out.

The goal is to eventually restrict the VPS nginx to some Google IPs so that I can setup Google Assistant for example.

As of the code above. With HA still being beta, I don’t won’t it to be responsible for handling that IP check. Nginx is potentially more secure than HA in doing this job.

Just out of curiosity: Do you run the IPsec/L2TP on your droplet and connect from your LAN to it, or the other way around?

With this potential setup I’d be concerned, that if your droplet gets compromised, an attacker would gain access to your LAN. How do you mitigate this risk?