GeoIP Module for Blocking IP in http_x_forwarded_for
Maxim Dounin
mdounin at mdounin.ru
Wed Jan 17 14:40:26 UTC 2018
Hello!
On Wed, Jan 17, 2018 at 07:33:43AM -0500, anish10dec wrote:
[...]
> > > Is there a way to check for First IP Address in http_x_forwarded_for for
> > > blocking the request ?
> >
> > If you really want to, you can do so using the
> > geoip_proxy_recursive directive and configuring the geoip_proxy to
> > trust the whole world, see here:
> >
> > http://nginx.org/r/geoip_proxy_recursive
>
> geoip_proxy_recursive on;
>
> "If recursive search is disabled then instead of the original client address
> that matches one of the trusted addresses, the last address sent in
> “X-Forwarded-For” will be used. If recursive search is enabled then instead
> of the original client address that matches one of the trusted addresses,
> the last non-trusted address sent in “X-Forwarded-For” will be used."
>
> Even enabling this last IP Address is used which is again not able to block
> the request as Client IP is at 1st Position.
The "configuring the geoip_proxy to trust the whole world" part of
the quote above is important. That is, you have to do something
like this:
geoip_proxy 0.0.0.0/0;
geoip_proxy_recursive on;
This way all addresses in the X-Forwarded-For header will be
trusted, and nginx will use the first address in the
X-Forwarded-For header.
Note again that this is not secure as the address can be easily
forged.
> > Note though that this is generally not secure as the address can
> > be easily forged, see above.
>
> Agree .
>
> Tried by enabling the Geo IP module on Server A which looks after remote
> address field and successfully blocks the request.
> But the problem here is that it is even blocking the requests coming from
> our Internal Private IP Segment such as 10.0.0.0/27 which are used for
> monitoring .
>
> Is there a way to declare few Private IP's or IP Range as trusted address
> even though if they are coming under blocked countries ?
If you are connecting to the server directly from the private
range, you may want to review your blocking policy. Private
addresses shouldn't have a country associated with them, so you
must be blocking them for some other reasons.
If you are connecting to the server via a proxy server in a
otherwise blocked country, you may want to configure nginx to
trust this specific server using the geoip_proxy directive. This
should be more secure than trusting the whole world.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list