Can't find a way to whitelist IPs

[Mathis]

Hello
I recently added vaultwarden as a new virtualhost with proxy and websocket configured.
Now i want to restrict the "/admin" URI to the LAN subnet only.
So i added a static context with /admin, allowed the LAN and denied everything else with "ALL".
But instead it's just allowing every IP, as if the context was not even there.
What could be wrong ?

This is my full vhost config :

docRoot                   /empty
enableGzip                0
enableBr                  0
enableIpGeo               0

errorlog  {
  useServer               1
  logLevel                ERROR
}

accesslog /dev/shm/logs/web/vaultwarden.log {
  useServer               0
  compressArchive         0
}

extprocessor vaultwarden_backend {
  type                    proxy
  address                 [::1]:3001
  maxConns                100
  pcKeepAliveTimeout      -1
  initTimeout             3
  retryTimeout            3
  respBuffer              0
}

context /admin {
  autoIndex               0

  accessControl  {
    allow                 fd00:0:0:1::/64
    deny                  ALL
  }

  rewrite  {
    enable                0
    inherit               0
  }
  addDefaultCharset       off
}

context / {
  type                    proxy
  handler                 vaultwarden_backend
  extraHeaders            set Strict-Transport-Security "max-age=15552000; preload"
  addDefaultCharset       off
}

vhssl  {
  keyFile                 /mnt/ssd/encrypted/acme-sh-certs/vaultwarden/key.pem
  certFile                /mnt/ssd/encrypted/acme-sh-certs/vaultwarden/fullchain.crt
  certChain               1
}

websocket / {
  address                 [::1]:3001
}

 

[Mathis]

Looks like OLS is not happy when the directory doesn't exist, it just throws an error and ignore the context definition.

[428471] [config:server:vhosts:vhost:vaultwarden:context:/admin] path is not accessible: /empty/admin

If i create the directory, then there is no error and the ACL works, but instead of /admin i get a 301 to /admin/ which returns a 404 obviously.

 

[Cold-Egg]

Do you mean /empty/admin is a folder? Then /admin/ is expected. If that's not the case, please provide more information, like is there any file under the admin folder.

 

[Mathis]

/empty is an empty folder i've set as the document root of this virtual host. /empty/admin doesn't exist.
Actually i don't need a document root, as this vhost is only a reverse proxy but openlitespeed forces me to put one. So i created an empty folder.

 

[Cold-Egg]

I'm a little confused. If the / context is already proxying everything to vaultwarden_backend, and you want to add another context for /admin to whitelist specific IPs, is that correct? If so, you may want to use another proxy context rather than a static context.

 

[Mathis]

Thanks it works when using a proxy instead of static context.
I thought adding a static context would be enough just to whitelist some IPs.
Btw, is using an empty directory as the DOC_ROOT the best practice for a virtual host used only for proxying ?