Welcome! Log In Create A New Profile

Advanced

nginx with set_real_ip_from AND allow/deny proxy only

Posted by gaspy 
nginx with set_real_ip_from AND allow/deny proxy only
May 27, 2021 01:21PM
Hello,

I'm trying to set up nginx to work with CloudFlare.
I want 2 separate things that don't seem to work together:

1. I want to only allow connections from a list of CloudFlare IPs, rejecting any direct access that might bypass it. This can be easily done with an allow list of IPs followed by `deny all`.

2. I also want to get the real visitor IPs. This can be done with `set_real_ip_from` and `real_ip_header CF-Connecting-IP`.

When put together this falls apart, because I no longer have the proxy IP, but only the real one. Even if I put a geo $isCF {x.x.x.x 1;} in the http block and then do an if{$isCF=...}, I $remote_addr is always evaluated to the real ip.

Is there any way to have both things working?

Thanks.
Re: nginx with set_real_ip_from AND allow/deny proxy only
May 27, 2021 03:51PM
Found it! Using geo $realip_remote_addr $isCF { ... } I can access the original IP.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready