How to get Nginx HTTP Basic auth to recognise a permitted client's IP on the far side of a load balancer?

Question

I have configured Nginx to require HTTP Basic auth for a website I'm working on that isn't yet public. I included an allow clause to permit the IP address of the company's head office to view the site without entering a password. This worked initially, however after placing the Nginx server behind a load balancer (AWS ELB), the IP address Nginx sees is actually the IP address of the load balancer, NOT of the requesting web client - so it stopped working.

I have the real IP address of the client in the X-Forwarded-For header. Is there a way to get Nginx to recognise the client and let it in without logging in?

score 1 · Accepted Answer · answered Sep 24 '21 at 07:39

You should use the NGINX real-IP module for that.

I have described the use of this module here Stackoverflow #66692200

Basically you need to do

real_ip_header X-Forwarded-For;
real_ip_recursive off;

You should check if you are able to set the ELB-IP as the only one that will be allowed to send the X-Forwarded-For header. Find out more information here

How to get Nginx HTTP Basic auth to recognise a permitted client's IP on the far side of a load balancer?

1 Answers1