4

I'm running a Nginx 1.2.4 webserver here, and I'm behind a proxy of my hoster to prevent ddos attacks. The downside of being behind this proxy is that I need to get the REAL IP information from an extra header. In PHP it works great by doing $_SERVER[HTTP_X_REAL_IP] for example.

Now before I was behind this proxy of my hoster I had a very effective way of blocking certain IP's by doing this: include /etc/nginx/block.conf and to allow/deny IP's there.

But now due to the proxy, Nginx sees all traffic coming from 1 IP.

I have configurated Nginx with --with-http_realip_module so I should now be able to get the real IP's from people.

In my nginx.conf I have added:

real_ip_header X-Forwarded-For;
include blockips.conf;

I have also tried:

real_ip_header X-Real-IP;
include blockips.conf;

In both cases IP's listed in blockips.conf are not being blocked. Also in my log files I do not see the real ip's, but only the proxy IP show up.

What am I doing wrong?

Mr.Boon
  • 2,024
  • 7
  • 35
  • 48
  • Only the proxy is accessing your site, so that's the only IP you're seeing. If you want to block users by IP, you will need to either block them at the proxy, or configure the proxy to somehow forward the real ip info. – Wug Oct 31 '12 at 14:28
  • The proxy also does that, otherwise PHP would not be able to get the IP info via $_SERVER[HTTP_X_REAL_IP]. So with the module that i installed for Nginx, I should be able to fetch the real IP information as well. – Mr.Boon Oct 31 '12 at 14:45

2 Answers2

2

I solved it.

Had to add: 

set_real_ip_from 0.0.0.0;

Where IP 0.0.0.0 being the proxy

Koen.
  • 25,449
  • 7
  • 83
  • 78
Mr.Boon
  • 2,024
  • 7
  • 35
  • 48
  • 1
    Needed to add /0 to the end of this: `set_real_ip_from 0.0.0.0/0;` – fotinakis Apr 14 '15 at 21:58
  • 4
    Be very careful with `set_real_ip_from 0.0.0.0/0;`. That essentially means you trust any IP to give you accurate headers (such as X-Forwarded-For). You will need some separate way to block requests from untrusted headers; iptables could do that. Without without something like iptables `set_real_ip_from 0.0.0.0/0;` will allow a hacker to trivially spoof IP addresses. – phylae Jun 03 '15 at 19:05
  • This solution requires you enable an additional nginx module http://nginx.org/en/docs/http/ngx_http_realip_module.html – phylae Jun 03 '15 at 19:06
  • For me, adding /0 at the end wasn't necessary. Actually, it just spawned an annoying warning, so I removed it. – William Jan 22 '16 at 03:33
0

Careful: Setting set_real_ip_from 0.0.0.0/0; can be a potential security issue, because it will allow any incoming request with headers such as X-Forwarded-For to set the real ip. Even though in special cases this might be useful, it almost certainly creates a circumvention method for ip blocking in nginx. thanks to @phylae for clarifying in his comment.

kask
  • 1,759
  • 2
  • 15
  • 21