Nginx – Location based whitelisting of IP’s on nginx webservers behind Elastic Load Balancer

amazon-web-servicesnginxx-forwarded-for

I run nginx webservers behind an elastic load balancer in AWS.
The real IP is got through X-Forwarded-For.
The issue faced is how to use this to deny all and whitelist only specific sources for particular locations.

Something like:
location /test/ {
include /etc/nginx/allowed-XForwardedFor.conf;
deny all;
}

Can I catch the X-Forwarded-For IP's with a variable and then use it in the conf file or in some-way use it with the allow option in locations or do it with the help of an if conditional?

Best Answer

Use the nginx realip module, and then you don't have to worry about the X-Forwarded-For header; you can just act on IP addresses as if the load balancer wasn't there.

A sample configuration:

http {
        real_ip_header X-Forwarded-For;
        set_real_ip_from 172.19.0.0/16; # Netblock for my ELB's

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

Nginx – X-Real-IP header empty with nginx behind a load balancer

It should be sufficient to merely add

server {
  set_real_ip_from x.x.x.x/x;
  real_ip_header X-Forwarded-For;

To the opening lines of your vhost configuration.

Looking at the Storm on Demand load balancer service, it seems they use Zeus load balancers - which use the X-Cluster-Client-Ip header for the real/source IP. So I would suggest trying,

server {
  set_real_ip_from x.x.x.x/x;
  real_ip_header X-Cluster-Client-Ip;

Best Answer

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

Nginx – X-Real-IP header empty with nginx behind a load balancer

Related Topic