Blocking user behind proxy

Hi,

We are using Akamai for site acceleration and wish to block traffic from
a set of IPs.

Can I just do something like

if $TRUE-CLIENT-IP ~ IP {
deny all;
}

or do I need to search the HTTP_Header

This is not a variable defined in the HTTP core module.

Sameer

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,13912,13912#msg-13912

http://wiki.nginx.org/NginxHttpAccessModule

Also a standard module.

Thanks for the reply vesperto but the real IP of the client is not the
same as $REMOTE_IP. I already tried the AccessModule and that didn’t do
the job.

In my scenario $REMOTE_IP is the IP of the proxy serving which is
forwarding the request and $TRUE-CLIENT-IP is a field in the HTTP head
which contains the requesting IP which I wish to block.

Sameer

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,13912,13945#msg-13945

While I’m not 100% sure (prolly Igor or Maxim can confirm/deny) if the
module changes the clients ip before other modules/internals
(like Access) but you could use the RealIP module
http://wiki.nginx.org/NginxHttpRealIpModule

And bassicaly add just the required header:

real_ip_header TRUE-CLIENT-IP;

rr

----- Original Message -----
From: “sameer” [email protected]
To: [email protected]
Sent: Thursday, October 15, 2009 4:00 PM
Subject: Re: Blocking user behind proxy

On Thu, Oct 15, 2009 at 04:36:30PM +0300, Reinis R. wrote:

While I’m not 100% sure (prolly Igor or Maxim can confirm/deny) if the module changes the clients ip before other modules/internals
(like Access) but you could use the RealIP module http://wiki.nginx.org/NginxHttpRealIpModule

And bassicaly add just the required header:

real_ip_header TRUE-CLIENT-IP;

Yes, there are two ways to block some addresses:

  1. real_ip_header TRUE-CLIENT-IP;

    deny 192.168.1.1;
    deny 192.168.1.2;
    deny 192.168.1.3;

    allow all;

  2. geo $http_true_client_ip $forbidden {
    default 0;
    192.168.1.1 1;

    }

      if ($forbidden) {
          return 403;
      }

On Tue, Oct 20, 2009 at 07:44:53AM -0400, sameer wrote:

Hi,

Sorry for the delayed response.

@Igor I tried putting the deny statement after the real_ip_header True-Client-IP line and didn’t do the job.

Any other suggestions?

Could you show the configuration ?

Hi,

Sorry for the delayed response.

@Igor I tried putting the deny statement after the real_ip_header
True-Client-IP line and didn’t do the job.

Any other suggestions?

Sameer

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,13912,15177#msg-15177

server {
listen 80 default;
server_name www.foo-bar.com;
location / {
real_ip_header True-Client-IP;
error_log logs/error.log;
access_log logs/access.log main;
deny 121.243.22.187;
root /usr/local/apache/htdocs;
}
}

geo $http_true_client_ip $forbidden {
default no;
121.243.22.187 0;
}
if ($forbidden) {
return 403;
}

I tried the geo directive inside the server section and during the
config check I keep getting an error
: “geo” directive is not allowed here in
/usr/local/nginx/conf/nginx.conf

I tried recompiling --with-http_geo_module and got an error.
Using nginx version 0.7.62

Sameer

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,13912,15190#msg-15190

On Tue, Oct 20, 2009 at 08:34:09AM -0400, sameer wrote:

}
What is in access and error logs for 121.243.22.187 ?

geo $http_true_client_ip $forbidden {
default no;
121.243.22.187 0;

  •             default no;
    
  •             121.243.22.187  0;
    
  •             default 0;
    
  •             121.243.22.187  1;
    
    }
    if ($forbidden) {
            return 403;
    }

I tried the geo directive inside the server section and during the config check I keep getting an error
: “geo” directive is not allowed here in /usr/local/nginx/conf/nginx.conf

http {

geo  ...

server {

@Igor: Your solution worked. Thank you for your help.

Sameer

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,13912,15799#msg-15799

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs