GeoIP Module for Blocking IP in http_x_forwarded_for

Maxim Dounin mdounin at mdounin.ru
Wed Jan 17 14:40:26 UTC 2018 

Hello!

On Wed, Jan 17, 2018 at 07:33:43AM -0500, anish10dec wrote:

[...]

> > > Is there a way to check for First IP Address in http_x_forwarded_for for
> > > blocking the request  ?
> > 
> > If you really want to, you can do so using the 
> > geoip_proxy_recursive directive and configuring the geoip_proxy to 
> > trust the whole world, see here:
> > 
> > http://nginx.org/r/geoip_proxy_recursive
> 
> geoip_proxy_recursive on;
> 
> "If recursive search is disabled then instead of the original client address
> that matches one of the trusted addresses, the last address sent in
> “X-Forwarded-For” will be used. If recursive search is enabled then instead
> of the original client address that matches one of the trusted addresses,
> the last non-trusted address sent in “X-Forwarded-For” will be used."
> 
> Even enabling this last IP Address is used which is again not able to block
> the request as Client IP is at 1st Position.

The "configuring the geoip_proxy to trust the whole world" part of 
the quote above is important.  That is, you have to do something 
like this:

    geoip_proxy 0.0.0.0/0;
    geoip_proxy_recursive on;

This way all addresses in the X-Forwarded-For header will be 
trusted, and nginx will use the first address in the 
X-Forwarded-For header.

Note again that this is not secure as the address can be easily 
forged.

> > Note though that this is generally not secure as the address can 
> > be easily forged, see above.
> 
> Agree .
> 
> Tried by enabling the Geo IP module on Server A which looks after remote
> address field and successfully blocks the request.
> But the problem here is that it is even blocking the requests coming from
> our Internal Private IP Segment such as 10.0.0.0/27 which are used for
> monitoring .
> 
> Is there a way to declare few Private IP's or IP Range as trusted address
> even though if they are coming under blocked countries ?

If you are connecting to the server directly from the private 
range, you may want to review your blocking policy.  Private 
addresses shouldn't have a country associated with them, so you 
must be blocking them for some other reasons.

If you are connecting to the server via a proxy server in a 
otherwise blocked country, you may want to configure nginx to 
trust this specific server using the geoip_proxy directive.  This 
should be more secure than trusting the whole world.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list