How to Block X forwarded-for IP in nginx

nginx amazon-web-services deny

5,296

Thanks all for help. I found solution for this issue. Maybe there is some bug in nginx due to which i found double IP in $http_x_forwarded_for but with the help of real_ip module now i able to block IP using $remote_addr header. By including below code in my vhost conf now i get client IP in $remote_addr header.

set_real_ip_from 0.0.0.0/0;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;

set $allow true;
if ($remote_addr ~ "180.179.") {
     set $allow false;
}
if ($remote_addr ~ "199.47.") {
     set $allow false;
}
if ($allow = false) {
     return 403;
}

5,296

Author by

Rocky

Updated on September 18, 2022

Comments

Rocky almost 2 years
My website is running behind aws Load Balancer. Now if i try to deny any IP to access my website by using "deny 59.92.130.106" under location / nothing happened. That IP still getting 200 response.Anyone having idea why this happened and how can i block any ip in nginx running behind aws load balancer? I used below entry but it is not working.
```
location / {
    deny 59.92.130.106;
}
```
- Richard Smith almost 4 years
  
  Try the Real IP module. See this document.
- Clément Duveau almost 4 years
  
  You could use AWS NACL for that.
- Rocky almost 4 years
  
  @ClémentDuveau I don't have access of NACL. I have only server access that's why i have to block it at nginx level.
- Rocky over 3 years
  
  @RichardSmith Can you please describe how to use this Real IP module.
- Rocky over 3 years
  
  @RichardSmith Thanks with some tweaks now it's worked.
Rocky almost 4 years

I tried map $http_x_forwarded_for $block { 59.74.236.125 1; } and location / { if ($block) { return 403; } try_files $uri $uri/ /index.php?$args; } But still it's not working
Ivan Shatsky almost 4 years

@RahulAggarwal The AWS documentation says their load balancers should support X-Forwarded-For header. You can try to debug this defining custom log format for your access log with $http_x_forwarded_for field included and check if this header is really set by load balancer. If it isn't, check your load balancer configuration. Didn't know how to help further.
Rocky almost 4 years

I already configured custom log format with "$http_x_forwarded_for" and getting client IP but didn't know how to use $http_x_forwarded_for for blocking that same IP.
Ivan Shatsky almost 4 years

@RahulAggarwal Try if ($block) { return 403; } outside of the location block if you have several locations defined.
Rocky over 3 years

I also tried if ($block) { return 403; } outside of the location block but still it's not working
Ivan Shatsky over 3 years

@RahulAggarwal Sorry, I don't know what to suggest further.
Rocky over 3 years

Thanks for the help.
Michael Hampton over 3 years

You should use deny instead of if.