I have 6 Nginx servers behind load balancer. Of course, if I just try to "deny" based on IP address it does not work as the app servers just see the load balancer IP.
However, I learned about the Real IP module and I have that enabled in the following way:
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Real-IP;
So, now that I have the X-Real_IP header set correctly, how I can then configure Nginx to use block certain users who's "X-Real-IP" value equals a set of IPs?
Best Answer
That's easy. Nginx's "geo" module lets define a variable with value depending on the client's IP address:
geo
directive should be athttp
level (e.g. outsideserver
). There is a convenient way to include large IP databases viainclude
orranges
, see the documentationSo, assuming you have such a variable, you may return whatever status codes you'd like, e.g. 403 or 404 (at
server
level or inlocation
):If you'd like to silently drop the connection, use
444
is a non-standard status code used internally to instruct Nginx to drop the connection. (thus a client does not see it)