GeoIP Module for Blocking IP in http_x_forwarded_for
Maxim Dounin
mdounin at mdounin.ru
Thu Jan 11 14:14:54 UTC 2018
Hello!
On Thu, Jan 11, 2018 at 07:17:20AM -0500, anish10dec wrote:
> GeoIP module is able to block request on basis of remote address which is IP
> of the remote device or user but not on basis of X-Forwarded-For IP if it
> has multiple IP address in it.
>
> There is Frontend Server( Server A) which receives the request and send it
> to Intermediate Server (Server B)
> We have GeoIP module installed on Intermediate Server i.e. Server B
>
>
> Server B <--- Server A <---- User
>
> When Server B , receives the request from Server A, remote address
> (remote_addr) for Server B is IP of Server A.
> Device/User IP is in http_x_forwarded_for field .
> If http_x_forwarded_for has single IP in it GeoIP module is able to block
> the IP on the basis of blocking applied.
>
> If http_x_forwarded_for has multiple IP i.e IP of User as well as IP of some
> Proxy Server or IP of Server A, then its not able to block the request.
>
> Below is the configuration :
>
> geoip_country /usr/share/GeoIP/GeoIP.dat;
> geoip_proxy IP_OF_ServerA; // GeoIP module ignores remote_addr
> considering it as trusted and refers to X-Forwarded For
>
> map $geoip_country_code $allowed_country {
> default no;
> US yes;
> }
>
> http_x_forwarded_for = { User IP of UK } - Request from this IP is getting
> blocked
>
> http_x_forwarded_for = { User IP of UK , Proxy IP of US } - This request
> is not getting blocked
>
> http_x_forwarded_for = { User IP of UK , IP of Server A } - This request
> is not getting blocked
>
> It seems nginx GeoIP Module refers to Last IP in http_x_forwarded_for field
> for applying the blocking method.
This is what X-Forwarded-For header format assumes: IP addresses
are added to the end of the list. As such, the last address is
the only one you can trust in the above configuration.
That is, a request with
X-Forwarded-For: IP1, IP2, IP3
as got from Server A doesn't mean that you've got a request from
IP1 forwarded to you via various proxies. It instead means that
Server A got the request from IP3 with "X-Forwarded-For: IP1, IP2"
already present in the request. Nothing guarantees that IP1 and
IP2 are real addresses - they can be easily faked by the client,
or they can be internal addresses in the client network.
> Is there a way to check for First IP Address in http_x_forwarded_for for
> blocking the request ?
If you really want to, you can do so using the
geoip_proxy_recursive directive and configuring the geoip_proxy to
trust the whole world, see here:
http://nginx.org/r/geoip_proxy_recursive
Note though that this is generally not secure as the address can
be easily forged, see above.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list