Restrict access to invoiceninja backend


We’re hardening our self hosted invoice ninja instance. By exposing on internet only the relevant services :

  • From internet : payement link , client portal
  • From our office : backend

It seems like all the backend api endpoints are under : /api

So basically its just adding a new location directive to protect /api ;
One issue we found, is that because “rewrite” takes precedence on “location” that doesn’t work.
So we moved the rewrite from the block’s root to the “location /” directive.

Do you see any reasons to keep the rewrite in the root ?


   # Restrict access to /api for private network only
   location /api {
    allow OFFICE_IP_RANGE;
    deny all;  # Deny all other access

# Force redirect  / to client portal
   location = / {
   	return 301 /client/login;

   location / {
   	# This condition moved from root to here ("rewrite" precedence on "location" directives)
	if (!-e $request_filename) {
		rewrite ^(.+)$ /index.php?q= last;



@david can you please advise?