Forum: NGINX GeoIP FirstNonPrivateXForwardedForIP

2974d09ac2541e892966b762aad84943?d=identicon&s=25 Keyur (Guest)
on 2014-06-12 18:37
(Received via mailing list)
Hi,

My website does country based redirection based on result obtained from
GeoIP against IP.

I am facing a problem where GeoIP does not work as first IP in the
X-Forwarded-For has Private network address. (Say 192.168.1.1)

I know GeoIP on private network would fail but the X-Forwarded-For also
has
the public IP along with Private IP.

Eg : 192.168.1.1, 115.97.213.63 - - [Timezone] ......

In some cases where multiple proxies are involved it would show :

192.168.1.1, 115.97.213.63, 115.97.213.12 - -

I want GeoIP should be done on the first non private ip. I could achieve
this in apache using GeoIP module directive called
"FirstNonPrivateXForwardedForIP"

How to do this in nginx ?

Kindly suggest

Regards,
Keyur

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250823,250823#msg-250823
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2014-06-12 19:10
(Received via mailing list)
>
> How to do this in nginx ?
>
> Kindly suggest

http://nginx.org/en/docs/http/ngx_http_geoip_modul...


Lukas
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Keyur (Guest)
on 2014-06-16 07:18
(Received via mailing list)
Hi Lukas,

Thanks for your reply.

I have already tried
http://nginx.org/en/docs/http/ngx_http_geoip_modul...

But this needs a list of subnets / networks to be whitelisted first as a
trusted source. I do not (Can not) have a list of such networks as they
can
be intermediate proxy of any company. Eg : Google chrome on smartphone
uses
Google compression proxy in between before reaching the actual server
where
website is hosted. Opera mini also does the same and similarly don't
know
who all does it. So I can not have a list of all trusted networks.

I've also come across an issue where someone sitting behind a proxy.
(Eg:
Squid on local network) and browse internet then the first IP from left
is
LAN IP (Private network address) and then the public IP follows. Here
GeoIP
country detection fails.

Eg : 10.0.0.50, <Some Public IP>  - - [12/Jun/2014:17:09:28 +0530] "GET
/
HTTP/1.1" 200 50675

I need a way where I can tell nginx that it should do GeoIP on the First
Public IP from left. Currently due to private address at the first place
GeoIP fails and country is not detected.

Do suggest what can be done.

Regards,
Keyur

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250823,250871#msg-250871
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2014-06-16 09:13
(Received via mailing list)
Hi,



> who all does it. So I can not have a list of all trusted networks.
You cannot trust X-F-F headers of untrusted third party networks and
proxies,
otherwise everyone can spoof whatever remote IP they want.

Don't do this.



Lukas
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Keyur (Guest)
on 2014-06-16 09:20
(Received via mailing list)
Hi Lucas,

Noted! Agreed!

How do I tell nginx to do  GeoIP on FirstNonPrivateXForwardedForIP ?

Regards,
Keyur

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250823,250876#msg-250876
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Keyur (Guest)
on 2014-06-23 08:58
(Received via mailing list)
Hello,

Can someone please look into this.. I need it for proper website
functionality.

Regards,
Keyur

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250823,251101#msg-251101
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-06-23 12:31
(Received via mailing list)
On 23 Jun 2014 07:58, "Keyur" <nginx-forum@nginx.us> wrote:
>
> Hello,
>
> Can someone please look into this.. I need it for proper website
> functionality.

I don't know the answer to your problem and perhaps, given the lack of
reply, no one on this public mailing list mainly populated by non-nginx
staff does either.

If your business has an immediate, pressing need for support, you may
wish
to take advantage of the professional services nginx offer:
http://nginx.com/products/services/

J
2974d09ac2541e892966b762aad84943?d=identicon&s=25 Keyur (Guest)
on 2014-06-23 13:06
(Received via mailing list)
Thanks Jonathan!

Well I can not comment regarding getting professional service. Infact I
will
be glad to have support but If I go with this approach then I would
rather
be asked to use web server which supports the said feature. (This is
doable
in apache). And I really don't want to do away with Nginx.

With lack of reply I understand this isn't possible in nginx at the
moment
but I hope this is taken as feature request so that I can use it in
nginx
and does not have to rely on other web server.

Regards
Keyur

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250823,251103#msg-251103
A22d31b5ab0fc6870e72a12be631e1ef?d=identicon&s=25 Steve Wilson (Guest)
on 2014-06-23 13:17
(Received via mailing list)
On 23/06/2014 12:05, Keyur wrote:
> With lack of reply I understand this isn't possible in nginx at the
> moment
> but I hope this is taken as feature request so that I can use it in
> nginx
> and does not have to rely on other web server.

The chances are it's probably possible, however this mailing list/forum
has a limited subset of nginx users available to assist.

I'm not sure why you have the requirement to use the XFF header to get
geoip, but have you looked at the realip module
<http://nginx.org/en/docs/http/ngx_http_realip_modu.... My first
thought would be to configure it to ignore RFC1918 addresses so the real
IP would in theory become a true IP which geoip could then use for
locating the user.

I have a piwik install on nginx, behind varnish with another nginx
instance doing SSL termination. Using realip to detect the user's
location seems to have done the trick.

Steve.
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2014-06-23 14:31
(Received via mailing list)
> Hello,
>
> Can someone please look into this.. I need it for proper website
> functionality.

I don't see why you would need it once you properly setup the
proxy whitelist?
2974d09ac2541e892966b762aad84943?d=identicon&s=25 wandenberg (Guest)
on 2014-08-01 04:13
(Received via mailing list)
Hi,

some time ago I had a similar issue and I grab some parts of nginx
internals
modules and did one specific to me.
My issue was to use the first XForwardedFor IP, but only when the client
address was the Google Chrome Proxy.
I don't know if this is the best approach,
but I check the client ip using the reverse dns and, if the ip came from
Google,
I change it for the first ip on XFowardedFor header.
Doing that, the GeoIP module can be executed with the "real ip" instead
of
the Google.

If you want to look how I did, the code is here
https://github.com/wandenberg/nginx-trusted-proxy-....
(The idea is to expand this module to support other mobiles proxies like
Windows Phone and Mini Opera.)

Regards,
Wandenberg

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250823,252190#msg-252190
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.