1

Problem

I'm trying to configure fail2ban to block ddos attacks using the chunk shown here.

Basically it looks at all requests and if any single IP makes more than 240 requests over 60 seconds it blocks them for two days.

However all the logs in my nginx access are from 127.0.0.1 which makes the whole thing pointless.

What could cause nginx to log all traffic as coming from the server?

(I'm running Drupal on a LEMP stack with perusio's nginx config.)

split_account
  • 169
  • 4
  • 11

2 Answers2

5

Since you have varnish in front of nginx, it thinks all the requests are coming from 127.0.0.1, since technically they are.

To resolve this, use the nginx real ip module to pick the client's IP address out of the X-Forwarded-For header, which Varnish automatically adds to requests (unless you told it not to).

An example nginx configuration would be:

set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Thanks Michael you've just rescued my Sunday afternoon. As it turns out the chunk is actually in Perusio's config but I just hadn't understood the purpose and so I hadn't set it up. – split_account Jun 01 '14 at 18:00
0

The example piece of configuration Micheal is talking about is in the top level nginx config at /etc/nginx/nginx.conf if you're using Perusio's config.

http {
    ## MIME types.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ## FastCGI.
    include /etc/nginx/fastcgi.conf;

    ## Default log and error files.
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ## Use sendfile() syscall to speed up I/O operations and speed up
    ## static file serving.
    sendfile on;
    ## Handling of IPs in proxied and load balancing situations.
    set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
    real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy

You need to change 0.0.0.0/32 to 127.0.0.1.

split_account
  • 169
  • 4
  • 11