Welcome! Log In Create A New Profile

Re: GeoIP Module for Blocking IP in http_x_forwarded_for

Forum List Message List New Topic Print View

Maxim Dounin

January 17, 2018 09:42AM

Hello!

On Wed, Jan 17, 2018 at 07:33:43AM -0500, anish10dec wrote:

[...]

> > > Is there a way to check for First IP Address in http_x_forwarded_for for
> > > blocking the request ?
> >
> > If you really want to, you can do so using the
> > geoip_proxy_recursive directive and configuring the geoip_proxy to
> > trust the whole world, see here:
> >
> > http://nginx.org/r/geoip_proxy_recursive
>
> geoip_proxy_recursive on;
>
> "If recursive search is disabled then instead of the original client address
> that matches one of the trusted addresses, the last address sent in
> “X-Forwarded-For” will be used. If recursive search is enabled then instead
> of the original client address that matches one of the trusted addresses,
> the last non-trusted address sent in “X-Forwarded-For” will be used."
>
> Even enabling this last IP Address is used which is again not able to block
> the request as Client IP is at 1st Position.

The "configuring the geoip_proxy to trust the whole world" part of
the quote above is important. That is, you have to do something
like this:

geoip_proxy 0.0.0.0/0;
geoip_proxy_recursive on;

This way all addresses in the X-Forwarded-For header will be
trusted, and nginx will use the first address in the
X-Forwarded-For header.

Note again that this is not secure as the address can be easily
forged.

> > Note though that this is generally not secure as the address can
> > be easily forged, see above.
>
> Agree .
>
> Tried by enabling the Geo IP module on Server A which looks after remote
> address field and successfully blocks the request.
> But the problem here is that it is even blocking the requests coming from
> our Internal Private IP Segment such as 10.0.0.0/27 which are used for
> monitoring .
>
> Is there a way to declare few Private IP's or IP Range as trusted address
> even though if they are coming under blocked countries ?

If you are connecting to the server directly from the private
range, you may want to review your blocking policy. Private
addresses shouldn't have a country associated with them, so you
must be blocking them for some other reasons.

If you are connecting to the server via a proxy server in a
otherwise blocked country, you may want to configure nginx to
trust this specific server using the geoip_proxy directive. This
should be more secure than trusting the whole world.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
GeoIP Module for Blocking IP in http_x_forwarded_for	anish10dec	January 11, 2018 07:17AM
Re: GeoIP Module for Blocking IP in http_x_forwarded_for	Maxim Dounin	January 11, 2018 09:16AM
Re: GeoIP Module for Blocking IP in http_x_forwarded_for	anish10dec	January 17, 2018 07:33AM
Re: GeoIP Module for Blocking IP in http_x_forwarded_for	Maxim Dounin	January 17, 2018 09:42AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 183

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018