Using Nginx to block IP's behind proxy

Question

I'm running a Nginx 1.2.4 webserver here, and I'm behind a proxy of my hoster to prevent ddos attacks. The downside of being behind this proxy is that I need to get the REAL IP information from an extra header. In PHP it works great by doing $_SERVER[HTTP_X_REAL_IP] for example.

Now before I was behind this proxy of my hoster I had a very effective way of blocking certain IP's by doing this: include /etc/nginx/block.conf and to allow/deny IP's there.

But now due to the proxy, Nginx sees all traffic coming from 1 IP.

I have configurated Nginx with --with-http_realip_module so I should now be able to get the real IP's from people.

In my nginx.conf I have added:

real_ip_header X-Forwarded-For;
include blockips.conf;

I have also tried:

real_ip_header X-Real-IP;
include blockips.conf;

In both cases IP's listed in blockips.conf are not being blocked. Also in my log files I do not see the real ip's, but only the proxy IP show up.

What am I doing wrong?

Answer 1

I solved it.

Had to add:

set_real_ip_from 0.0.0.0;

Where IP 0.0.0.0 being the proxy

Answer 2

• Make sure you have http://nginx.org/en/docs/http/ngx_http_realip_module.html enabled

• set_real_ip_from 123.123.255.0;

  or for a range of IPs:

  set_real_ip_from 123.123.255.0/255;

  Where IP 123.123.255.0 being the proxy IP / IPs

Careful: Setting set_real_ip_from 0.0.0.0/0; can be a potential security issue, because it will allow any incoming request with headers such as X-Forwarded-For to set the real ip. Even though in special cases this might be useful, it almost certainly creates a circumvention method for ip blocking in nginx. thanks to @phylae for clarifying in his comment.