GeoIP Module for Blocking IP in http_x_forwarded_for

Maxim Dounin mdounin at
Thu Jan 11 14:14:54 UTC 2018


On Thu, Jan 11, 2018 at 07:17:20AM -0500, anish10dec wrote:

> GeoIP module is able to block request on basis of remote address which is IP
> of the remote device or user but not on basis of X-Forwarded-For IP if it
> has multiple IP address in it.
> There is Frontend Server( Server A) which receives the request and send it
> to Intermediate Server (Server B)
> We have GeoIP module installed on Intermediate Server i.e. Server B
> Server B <--- Server A <---- User
> When Server B , receives the request from Server A, remote address
> (remote_addr) for Server B is IP of Server A.
> Device/User IP is in http_x_forwarded_for field .
> If http_x_forwarded_for has single IP in it GeoIP module is able to block
> the IP on the basis of blocking applied. 
> If http_x_forwarded_for has multiple IP i.e IP of User as well as IP of some
> Proxy Server or IP of Server A, then its not able to block the request.
> Below is the configuration : 
> geoip_country    /usr/share/GeoIP/GeoIP.dat;
> geoip_proxy       IP_OF_ServerA;       // GeoIP module ignores remote_addr
> considering it as trusted and refers to X-Forwarded For
> map $geoip_country_code $allowed_country {
>         default no;
>         US yes;
> }
> http_x_forwarded_for =  { User IP of UK } - Request from this IP is getting
> blocked
> http_x_forwarded_for =  { User IP of UK , Proxy IP of US  }  -  This request
> is not getting blocked
> http_x_forwarded_for =  { User IP of UK , IP of Server A  }  -  This request
> is not getting blocked
> It seems nginx GeoIP Module refers to Last IP in http_x_forwarded_for field
> for applying the blocking method.

This is what X-Forwarded-For header format assumes: IP addresses 
are added to the end of the list.  As such, the last address is 
the only one you can trust in the above configuration.

That is, a request with

X-Forwarded-For: IP1, IP2, IP3

as got from Server A doesn't mean that you've got a request from 
IP1 forwarded to you via various proxies.  It instead means that 
Server A got the request from IP3 with "X-Forwarded-For: IP1, IP2" 
already present in the request.  Nothing guarantees that IP1 and 
IP2 are real addresses - they can be easily faked by the client, 
or they can be internal addresses in the client network.

> Is there a way to check for First IP Address in http_x_forwarded_for for
> blocking the request  ?

If you really want to, you can do so using the 
geoip_proxy_recursive directive and configuring the geoip_proxy to 
trust the whole world, see here:

Note though that this is generally not secure as the address can 
be easily forged, see above.

Maxim Dounin

More information about the nginx mailing list