Nginx – Blocking IP’s Nginx behind proxy

nginxPHPPROXY

I'm running a Nginx 1.2.4 webserver here, and I'm behind a proxy of my hoster to prevent ddos attacks. The downside of being behind this proxy is that I need to get the REAL IP information from an extra header. In PHP it works great by doing $_SERVER[HTTP_X_REAL_IP] for example.

Now before I was behind this proxy of my hoster I had a very effective way of blocking certain IP's by doing this: include /etc/nginx/block.conf and to allow/deny IP's there.

But now due to the proxy, Nginx sees all traffic coming from 1 IP.

Is there a way I can get Nginx to read the IP's like how PHP does, with the X-REAL-IP header?

Best Answer

Usually proxy servers send an header X_FORWARDED_FOR containing clients real ip address. You can use --with-http_realip_module to get the real ip address. Here is module's page

Related Solutions

Nginx – Problem with GWT behind a reverse proxy – either nginx or apache

I think you should

location /context/ {
    proxy_pass        http://backend/context/;
}

and then use rewrite to strip /context part from URL

Nginx – Block User Based on X Header Value

That's easy. Nginx's "geo" module lets define a variable with value depending on the client's IP address:

geo $ban_ip {
  default 0;
  10.1.0.0/24 1;
};

geo directive should be at http level (e.g. outside server). There is a convenient way to include large IP databases via include or ranges, see the documentation

So, assuming you have such a variable, you may return whatever status codes you'd like, e.g. 403 or 404 (at server level or in location):

if ($ban_ip) {
  return 403;
}

If you'd like to silently drop the connection, use

if ($ban_ip) {
  return 444;
}

444 is a non-standard status code used internally to instruct Nginx to drop the connection. (thus a client does not see it)

Best Answer

Related Solutions

Nginx – Problem with GWT behind a reverse proxy – either nginx or apache

Nginx – Block User Based on X Header Value

Related Topic