stackoom
  简体   繁体   中英

nginx deny based on $http_x_forwarded_for

 原文  2021-11-16 19:47:34       nginx/ openshift/ okd

Question

I have an nginx container in openshift. I am trying to limit the access from external IPs, more specifically, anything not in the 10.XXX range.

This is my config file

http {
    ....
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    ....

    }
    server {

        listen 8080;
        server_name app.okd.company.com;
        allow 10.0.0.0/8;
        deny all;
        location / {
        proxy_pass http://app/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_redirect off;
        }

        location /static/ {
        autoindex on;
        alias /app/static/;
        }
    }

The connection is allowed whether private or external. Here are some logs.

10.129.2.1 - - [16/Nov/2021:19:28:57 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/ " "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "10.3.16.158"

10.131.2.1 - - [16/Nov/2021:19:42:56 +0000] "POST /graphql/ HTTP/1.1" 200 53384 "https://app.okd.company.com/ " "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "73.177.XXX.XXX"

The first log seems to be allowing private IP connections, which is expected, but the second one is still being allowed. I'm not sure why it isn't blocking.

EDIT:

I realize the remote_addr is in the private IP range. I don't care which proxy it used access the nginx I have control over. I just care about the origin/http_x_forwarded_for. Is there a way I can allow or deny based off of that

1 answers

solution1
 0  2021-11-17 14:14:53

To use the http_x_forwarded_for as the real IP, you should set that in the server config.

...
    server {
        set_real_ip_from 10.0.0.0/8;
        real_ip_header X-Forwarded-For;
...

set_real_ip_from1 is not optional. It needs to contain all addresses that could be the forwarding proxy

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Conditional nginx logging if $http_x_forwarded_for exists? Nginx limit_req_zone using http_x_forwarded_for is not working for me set_real_ip_from still included in HTTP_X_FORWARDED_FOR Why i cant use ufw deny to "Nginx HTTP" from x.x.x.x? Forcing www and https redirect on NGINX as backend of Google cloud Load Balancer using $http_x_forwarded_proto "ERR_TOO_MANY_REDIRECTS" nginx-ingress controller does not overwrite X-Forwarded-Proto: http, X-Forwarded-Scheme: http Nginx: What is the X-Forwarded-For alternative for WebSockets? Django behind NGINX reverse proxy and AWS Application Load Balancer doesn't get HTTPS forwarded from client in HTTP_X_FORWARDED_PROTO NGinx $proxy_add_x_forwarded_for and real_ip_header Nginx Ingress Controller does not set X-Forwarded-Host
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM