nginx behind haproxy to static html ssl getting real IP address

Question

My problem is getting the "real" IP address from the web at nginx level serving a static vuejs site via ssl.

I want to block certain IP addresses, how can I get the real IP address if I can't use proxy pass, since I only link to a static location?

haproxy (tcp) (port: 443) ==> encrypted request ==> nginx (port: 8085) request pass to ==> '/' location getting real IP for range blocking.

Please also see questions/comments in the nginx vhost file. Am I on the right track here or does this need to be done entirely differently?

haproxy setup:

frontend ssl_front_433 xx.xx.xx.xx:443
    mode tcp
    option tcplog
    use_backend ssl_nginx_backend_8085

backend ssl_nginx_backend_8085
    mode tcp
    balance roundrobin
    option  tcp-check
    server  srv-2 127.0.0.1:8085  check  fall 3 rise 2 inter 4s

nginx setup:

server {
   listen 8085 ssl;
   server_name mydomain;

   access_log /var/log/nginx/access.log;
   error_log  /var/log/nginx/error.log;

   ssl_certificate      ./fullchain.pem;
   ssl_certificate_key  ./privkey.pem;
   include include.d/ssl.conf;

   // I want to only allow certain ip addresses
   // haproxy of course always returns 127.0.0.1 thus this is not working 
   include include.d/ip_range.conf;  

   location / {
        //how to get the proxy headers to be applied here?
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        // do I need a proxy pass and if so where should I pass to,
        // in order to use it with static html/js?
        // can I use an upstream to a static location?
        //proxy_pass http://;
        try_files $uri $uri/ /index.html;
   }
}

Answer 1

On the nginx side you can control which IP addresses or ranges are permitted with a deny all and an allow range to your server block like so:

allow  192.168.1.0/24;
deny   all;

Note: The nginx docs are always an excellent place to start, here's the docs for restricting access by IP addresses and ranges.

First, I would challenge you to reconsider why you need a load balancer with haproxy for something as simple as a html/css/js static site. More infrastructure introduces more complications.

Second, the upstream in nginx is only needed if you want to point requests to a local wsgi server for example, in your case this is static content so you shouldn't need to point to an upstream – not unless you have some sort of wsgi service you want to forward requests to.

Finally, as for haproxy only forwarding requests as 127.0.0.1, first make sure the IP is in the header (ie X-Real-IP ) then you can try to add something like this to your haproxy config ( source ), if you indeed want to keep haproxy:

frontend all_https
  option forwardfor header X-Real-IP
  http-request set-header X-Real-IP %[src]

The haproxy documentation is also a good resource for preserving source IP addresses .