Hello! On Wed, Jan 17, 2018 at 07:33:43AM -0500, anish10dec wrote:
[...] > > > Is there a way to check for First IP Address in http_x_forwarded_for for > > > blocking the request ? > > > > If you really want to, you can do so using the > > geoip_proxy_recursive directive and configuring the geoip_proxy to > > trust the whole world, see here: > > > > http://nginx.org/r/geoip_proxy_recursive > > geoip_proxy_recursive on; > > "If recursive search is disabled then instead of the original client address > that matches one of the trusted addresses, the last address sent in > “X-Forwarded-For” will be used. If recursive search is enabled then instead > of the original client address that matches one of the trusted addresses, > the last non-trusted address sent in “X-Forwarded-For” will be used." > > Even enabling this last IP Address is used which is again not able to block > the request as Client IP is at 1st Position. The "configuring the geoip_proxy to trust the whole world" part of the quote above is important. That is, you have to do something like this: geoip_proxy 0.0.0.0/0; geoip_proxy_recursive on; This way all addresses in the X-Forwarded-For header will be trusted, and nginx will use the first address in the X-Forwarded-For header. Note again that this is not secure as the address can be easily forged. > > Note though that this is generally not secure as the address can > > be easily forged, see above. > > Agree . > > Tried by enabling the Geo IP module on Server A which looks after remote > address field and successfully blocks the request. > But the problem here is that it is even blocking the requests coming from > our Internal Private IP Segment such as 10.0.0.0/27 which are used for > monitoring . > > Is there a way to declare few Private IP's or IP Range as trusted address > even though if they are coming under blocked countries ? If you are connecting to the server directly from the private range, you may want to review your blocking policy. Private addresses shouldn't have a country associated with them, so you must be blocking them for some other reasons. If you are connecting to the server via a proxy server in a otherwise blocked country, you may want to configure nginx to trust this specific server using the geoip_proxy directive. This should be more secure than trusting the whole world. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx