Nginx – How to deny access to resources based on X-forwarded-for headers

nginx

I am trying to restrict access to resources behind Nginx based on client IP passed in X-forwarded-for headers. Nginx is running in a container on a Kubernetes Cluster on Google Cloud Platform and real client ips are passed in x-forwarded-for header only

So far I've managed to do it for a single IP with the following code:

set $allow false;
if ($http_x_forwarded_for ~* 123.233.233.123) {
    set $allow true;
}
if ($http_x_forward_for ~* 10.20.30.40) {
    set $allow false;
}
if ($allow = false) {
    return 403;
}

But how can i do that for whole ranges of IPs? Specifying hundreds of IPs by hand doesn't make much sense.

All help is appreciated

Best Answer

Use the RealIP module to honour the value of the X-Forwarded-For header. Set set_real_ip_from to the IP address of the reverse proxy (the current value of $remote_addr).

For example:

server {
    ...
    real_ip_header X-Forwarded-For;
    set_real_ip_from 10.1.2.3;
    ...
}

You should now be able to use $remote_addr and allow/deny directives using the true IP address of the client. See this document for more.

Related Topic