nginx 拒绝基于 $http_x_forwarded_for

Question

I have an nginx container in openshift.我在 openshift 中有一个 nginx 容器。 I am trying to limit the access from external IPs, more specifically, anything not in the 10.XXX range.我试图限制来自外部 IP 的访问，更具体地说，限制在 10.XXX 范围之外的任何内容。

This is my config file这是我的配置文件

http {
    ....
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    ....

    }
    server {

        listen 8080;
        server_name app.okd.company.com;
        allow 10.0.0.0/8;
        deny all;
        location / {
        proxy_pass http://app/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_redirect off;
        }

        location /static/ {
        autoindex on;
        alias /app/static/;
        }
    }

The connection is allowed whether private or external.无论是私人的还是外部的，连接都是允许的。 Here are some logs.这是一些日志。

10.129.2.1 - - [16/Nov/2021:19:28:57 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/ " "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "10.3.16.158" 10.129.2.1 - - [16/Nov/2021:19:28:57 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/" "Mozilla/5.0 ( X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "10.3.16.158"

10.131.2.1 - - [16/Nov/2021:19:42:56 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/ " "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "73.177.XXX.XXX" 10.131.2.1 - - [16/Nov/2021:19:42:56 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/" "Mozilla/5.0 ( X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "73.177.XXX.XXX"

The first log seems to be allowing private IP connections, which is expected, but the second one is still being allowed.第一个日志似乎允许私有 IP 连接，这是预期的，但第二个日志仍然被允许。 I'm not sure why it isn't blocking.我不确定为什么它没有阻塞。

EDIT:编辑：

I realize the remote_addr is in the private IP range.我意识到 remote_addr 在私有 IP 范围内。 I don't care which proxy it used access the nginx I have control over.我不在乎它使用哪个代理访问我可以控制的 nginx。 I just care about the origin/http_x_forwarded_for.我只关心 origin/http_x_forwarded_for。 Is there a way I can allow or deny based off of that有没有一种方法可以基于此允许或拒绝

Answer 1

To use the http_x_forwarded_for as the real IP, you should set that in the server config.要将http_x_forwarded_for用作真实 IP，您应该在服务器配置中进行设置。

...
    server {
        set_real_ip_from 10.0.0.0/8;
        real_ip_header X-Forwarded-For;
...

set_real_ip_from1 is not optional. set_real_ip_from1不是可选的。 It needs to contain all addresses that could be the forwarding proxy它需要包含所有可能是转发代理的地址

nginx 拒绝基于 $http_x_forwarded_for

问题描述

1 个解决方案

解决方案1
0 2021-11-17 14:14:53

nginx 拒绝基于 $http_x_forwarded_for

问题描述

1 个解决方案

解决方案1 0 2021-11-17 14:14:53

解决方案1
0 2021-11-17 14:14:53