I am trying to restrict access to resources behind Nginx based on client IP passed in X-forwarded-for headers. Nginx is running in a container on a Kubernetes Cluster on Google Cloud Platform and real client ips are passed in x-forwarded-for header only
So far I've managed to do it for a single IP with the following code:
set $allow false;
if ($http_x_forwarded_for ~* 123.233.233.123) {
set $allow true;
}
if ($http_x_forward_for ~* 10.20.30.40) {
set $allow false;
}
if ($allow = false) {
return 403;
}
But how can i do that for whole ranges of IPs? Specifying hundreds of IPs by hand doesn't make much sense.
All help is appreciated
Best Answer
Use the RealIP module to honour the value of the
X-Forwarded-For
header. Setset_real_ip_from
to the IP address of the reverse proxy (the current value of$remote_addr
).For example:
You should now be able to use
$remote_addr
andallow
/deny
directives using the true IP address of the client. See this document for more.