GeoIP blocking behind AWS ELB + proxy protocol

Joe Rizzo jrizzo at
Wed Oct 29 18:35:50 UTC 2014

Hi -
    I have nginx servers behind an AWS ELB. Because web sockets are
leveraged, the ELB is configured as TCP load balancing with the proxy
protocol option set. The true IP address of the client is extracted as
variable $proxy_protocol_addr.

    How would I configure nginx to allow/deny access based on the
$proxy_protocol_addr variable? I tried setting $X-Forwarded-For to
$proxy_protocol_addr with no luck. Below is snippets from the configuration.

http {
    geoip_proxy_recursive off;
    geoip_country /usr/share/GeoIP/GeoIP.dat;
    map $geoip_country_code $allowed_country {
        default no;
        US yes;
        CA yes;
server {
    listen 82 proxy_protocol;
    location / {
        set $X-Forwarded-For $proxy_protocol_addr;
        if ($allowed_country = no) {
            return 403;

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list