[英]nginx deny based on $http_x_forwarded_for
I have an nginx container in openshift.我在 openshift 中有一个 nginx 容器。 I am trying to limit the access from external IPs, more specifically, anything not in the 10.XXX range.
我试图限制来自外部 IP 的访问,更具体地说,限制在 10.XXX 范围之外的任何内容。
This is my config file这是我的配置文件
http {
....
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
....
}
server {
listen 8080;
server_name app.okd.company.com;
allow 10.0.0.0/8;
deny all;
location / {
proxy_pass http://app/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_redirect off;
}
location /static/ {
autoindex on;
alias /app/static/;
}
}
The connection is allowed whether private or external.无论是私人的还是外部的,连接都是允许的。 Here are some logs.
这是一些日志。
10.129.2.1 - - [16/Nov/2021:19:28:57 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/ " "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "10.3.16.158"
10.129.2.1 - - [16/Nov/2021:19:28:57 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/" "Mozilla/5.0 ( X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "10.3.16.158"
10.131.2.1 - - [16/Nov/2021:19:42:56 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/ " "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "73.177.XXX.XXX"
10.131.2.1 - - [16/Nov/2021:19:42:56 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/" "Mozilla/5.0 ( X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "73.177.XXX.XXX"
The first log seems to be allowing private IP connections, which is expected, but the second one is still being allowed.第一个日志似乎允许私有 IP 连接,这是预期的,但第二个日志仍然被允许。 I'm not sure why it isn't blocking.
我不确定为什么它没有阻塞。
EDIT:编辑:
I realize the remote_addr is in the private IP range.我意识到 remote_addr 在私有 IP 范围内。 I don't care which proxy it used access the nginx I have control over.
我不在乎它使用哪个代理访问我可以控制的 nginx。 I just care about the origin/http_x_forwarded_for.
我只关心 origin/http_x_forwarded_for。 Is there a way I can allow or deny based off of that
有没有一种方法可以基于此允许或拒绝
To use the http_x_forwarded_for
as the real IP, you should set that in the server config.要将
http_x_forwarded_for
用作真实 IP,您应该在服务器配置中进行设置。
...
server {
set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
...
set_real_ip_from1
is not optional. set_real_ip_from1
不是可选的。 It needs to contain all addresses that could be the forwarding proxy它需要包含所有可能是转发代理的地址
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.