How to Block X forwarded-for IP in nginx
5,296
Thanks all for help. I found solution for this issue. Maybe there is some bug in nginx due to which i found double IP in $http_x_forwarded_for but with the help of real_ip module now i able to block IP using $remote_addr header. By including below code in my vhost conf now i get client IP in $remote_addr header.
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
set $allow true;
if ($remote_addr ~ "180.179.") {
set $allow false;
}
if ($remote_addr ~ "199.47.") {
set $allow false;
}
if ($allow = false) {
return 403;
}
![Rocky](https://lh4.googleusercontent.com/-e7TNfAE4HCY/AAAAAAAAAAI/AAAAAAAAAAA/ACHi3rdmz3fwUKWzzzjcrtjrwXBchRGKjg/mo/photo.jpg?sz=256)
Author by
Rocky
Updated on September 18, 2022Comments
-
Rocky almost 2 years
My website is running behind aws Load Balancer. Now if i try to deny any IP to access my website by using "deny 59.92.130.106" under location / nothing happened. That IP still getting 200 response.Anyone having idea why this happened and how can i block any ip in nginx running behind aws load balancer? I used below entry but it is not working.
location / { deny 59.92.130.106; }
-
Richard Smith almost 4 yearsTry the Real IP module. See this document.
-
Clément Duveau almost 4 yearsYou could use AWS NACL for that.
-
Rocky almost 4 years@ClémentDuveau I don't have access of NACL. I have only server access that's why i have to block it at nginx level.
-
Rocky over 3 years@RichardSmith Can you please describe how to use this Real IP module.
-
Rocky over 3 years@RichardSmith Thanks with some tweaks now it's worked.
-
-
Rocky almost 4 yearsI tried
map $http_x_forwarded_for $block { 59.74.236.125 1; }
andlocation / { if ($block) { return 403; } try_files $uri $uri/ /index.php?$args; }
But still it's not working -
Ivan Shatsky almost 4 years@RahulAggarwal The AWS documentation says their load balancers should support
X-Forwarded-For
header. You can try to debug this defining custom log format for your access log with$http_x_forwarded_for
field included and check if this header is really set by load balancer. If it isn't, check your load balancer configuration. Didn't know how to help further. -
Rocky almost 4 yearsI already configured custom log format with "$http_x_forwarded_for" and getting client IP but didn't know how to use
$http_x_forwarded_for
for blocking that same IP. -
Ivan Shatsky almost 4 years@RahulAggarwal Try
if ($block) { return 403; }
outside of thelocation
block if you have several locations defined. -
Rocky over 3 yearsI also tried if ($block) { return 403; } outside of the location block but still it's not working
-
Ivan Shatsky over 3 years@RahulAggarwal Sorry, I don't know what to suggest further.
-
Rocky over 3 yearsThanks for the help.
-
Michael Hampton over 3 yearsYou should use
deny
instead ofif
.