How to block / restict access to a certain path/location

[The-Istar]

I want to give Zoraxy a try as it looks like a very good product. However I can not seem to figure out how I can block only a certain path from being accessed externally.

In my particular use case for example I self host a vaultwarden server which I can access externally. However I want to admin page only to be accessible internally.

In both NGINX and Caddy it is possible to grant access to domain.com but block access to domain/com/admin.
However I can not find a way to do this in Zoraxy.

This is the block list feature, which would do what it needs to do on a domain level.
And then there is the virtual directory function which does not allow pointing tot he same destination and it does not have the block list feature,

I tried to create this domain with path as a seperate proxy rule and it does seem to add it, however the entry is lost on restart of the application. Also you get an error if you wan to add custom headers. But weirdly not when creating the rule,

Anybody have any idea how to get this done in Zoraxy? Or is this simply a missing feature?

[tobychui]

Isn't that usually the job of the origin web server like apache? I think currently Zoraxy don't have this feature, but if you want one, feel free to create a feature request on this.

If you want to achieve this with the current version of Zoraxy, you can setup a redirection rule and point it to your default site where it is set to 404 or internal web server with custom Permission Denied static template.

[The-Istar]

Thanks for the reply.
Not sure why this would be the responsibility of the origin web server? As without setting the correct Headers (x-forwarded-for or x-real-ip) it would not even know if the request came from outside or inside. Also from a security point of view it is a lot better to stop the traffic before it reaches the back end server..

I am also not sure how the redirection rule helps here? Wouldn't that redirect all traffic regardless of origin?

As mentioned, both NGINX and Caddy can do this out of the box.

See for examples see here:

If I want to raise this as a feature request, do I do this under Issues or under Discussions -> Ideas?

[tobychui]

From security perspective, you should keep your in-house system in a separated network / domain and proxy with another instance of reverse proxy (if needed). There is rarely a case where one single upstream (software wise, not hardware physical server) serve both public and internal services. And even in such case where you only have single instance of reverse proxy server and a single usable public IP address, you should separate them into a dedicated sub-domain and do access control with access rules (e.g. whitelist the internal service sub-domains with local IP only)

For your last question, if you really want to raise a feature request for this, you can do it under the Issue --> Enhancement request.