Welcome! Log In Create A New Profile

Advanced

Re: GeoIP Module for Blocking IP in http_x_forwarded_for

January 17, 2018 07:33AM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Thu, Jan 11, 2018 at 07:17:20AM -0500, anish10dec wrote:
>
> > GeoIP module is able to block request on basis of remote address
> which is IP
> > of the remote device or user but not on basis of X-Forwarded-For IP
> if it
> > has multiple IP address in it.
> >
> > There is Frontend Server( Server A) which receives the request and
> send it
> > to Intermediate Server (Server B)
> > We have GeoIP module installed on Intermediate Server i.e. Server B
> >
> >
> > Server B <--- Server A <---- User
> >
> > When Server B , receives the request from Server A, remote address
> > (remote_addr) for Server B is IP of Server A.
> > Device/User IP is in http_x_forwarded_for field .
> > If http_x_forwarded_for has single IP in it GeoIP module is able to
> block
> > the IP on the basis of blocking applied.
> >
> > If http_x_forwarded_for has multiple IP i.e IP of User as well as IP
> of some
> > Proxy Server or IP of Server A, then its not able to block the
> request.
> >
> > Below is the configuration :
> >
> > geoip_country /usr/share/GeoIP/GeoIP.dat;
> > geoip_proxy IP_OF_ServerA; // GeoIP module ignores
> remote_addr
> > considering it as trusted and refers to X-Forwarded For
> >
> > map $geoip_country_code $allowed_country {
> > default no;
> > US yes;
> > }
> >
> > http_x_forwarded_for = { User IP of UK } - Request from this IP is
> getting
> > blocked
> >
> > http_x_forwarded_for = { User IP of UK , Proxy IP of US } - This
> request
> > is not getting blocked
> >
> > http_x_forwarded_for = { User IP of UK , IP of Server A } - This
> request
> > is not getting blocked
> >
> > It seems nginx GeoIP Module refers to Last IP in
> http_x_forwarded_for field
> > for applying the blocking method.
>
> This is what X-Forwarded-For header format assumes: IP addresses
> are added to the end of the list. As such, the last address is
> the only one you can trust in the above configuration.
>
> That is, a request with
>
> X-Forwarded-For: IP1, IP2, IP3
>
> as got from Server A doesn't mean that you've got a request from
> IP1 forwarded to you via various proxies. It instead means that
> Server A got the request from IP3 with "X-Forwarded-For: IP1, IP2"
> already present in the request. Nothing guarantees that IP1 and
> IP2 are real addresses - they can be easily faked by the client,
> or they can be internal addresses in the client network.
>
> > Is there a way to check for First IP Address in http_x_forwarded_for
> for
> > blocking the request ?
>
> If you really want to, you can do so using the
> geoip_proxy_recursive directive and configuring the geoip_proxy to
> trust the whole world, see here:
>
> http://nginx.org/r/geoip_proxy_recursive

geoip_proxy_recursive on;

"If recursive search is disabled then instead of the original client address that matches one of the trusted addresses, the last address sent in “X-Forwarded-For” will be used. If recursive search is enabled then instead of the original client address that matches one of the trusted addresses, the last non-trusted address sent in “X-Forwarded-For” will be used."

Even enabling this last IP Address is used which is again not able to block the request as Client IP is at 1st Position.


>
> Note though that this is generally not secure as the address can
> be easily forged, see above.

Agree .

Tried by enabling the Geo IP module on Server A which looks after remote address field and successfully blocks the request.
But the problem here is that it is even blocking the requests coming from our Internal Private IP Segment such as 10.0.0.0/27 which are used for monitoring .

Is there a way to declare few Private IP's or IP Range as trusted address even though if they are coming under blocked countries ?

Thanks and Regards,
Anish
Subject Author Posted

GeoIP Module for Blocking IP in http_x_forwarded_for

anish10dec January 11, 2018 07:17AM

Re: GeoIP Module for Blocking IP in http_x_forwarded_for

Maxim Dounin January 11, 2018 09:16AM

Re: GeoIP Module for Blocking IP in http_x_forwarded_for

anish10dec January 17, 2018 07:33AM

Re: GeoIP Module for Blocking IP in http_x_forwarded_for

Maxim Dounin January 17, 2018 09:42AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 56
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready