Using Nginx to block IP's behind proxy
Domanda
I'm running a Nginx 1.2.4 webserver here, and I'm behind a proxy of my hoster to prevent ddos attacks. The downside of being behind this proxy is that I need to get the REAL IP information from an extra header. In PHP it works great by doing $_SERVER[HTTP_X_REAL_IP]
for example.
Now before I was behind this proxy of my hoster I had a very effective way of blocking certain IP's by doing this: include /etc/nginx/block.conf
and to allow/deny IP's there.
But now due to the proxy, Nginx sees all traffic coming from 1 IP.
I have configurated Nginx with --with-http_realip_module
so I should now be able to get the real IP's from people.
In my nginx.conf I have added:
real_ip_header X-Forwarded-For;
include blockips.conf;
I have also tried:
real_ip_header X-Real-IP;
include blockips.conf;
In both cases IP's listed in blockips.conf are not being blocked. Also in my log files I do not see the real ip's, but only the proxy IP show up.
What am I doing wrong?
Soluzione
I solved it.
Had to add:
set_real_ip_from 0.0.0.0;
Where IP 0.0.0.0
being the proxy
Altri suggerimenti
Make sure you have http://nginx.org/en/docs/http/ngx_http_realip_module.html enabled
set_real_ip_from 123.123.255.0;
or for a range of IPs:
set_real_ip_from 123.123.255.0/255;
Where IP
123.123.255.0
being the proxy IP / IPs
Careful: Setting set_real_ip_from 0.0.0.0/0;
can be a potential security issue, because it will allow any incoming request with headers such as X-Forwarded-For
to set the real ip. Even though in special cases this might be useful, it almost certainly creates a circumvention method for ip blocking in nginx. thanks to @phylae for clarifying in his comment.