My website does country based redirection based on result obtained from
GeoIP against IP.
I am facing a problem where GeoIP does not work as first IP in the
X-Forwarded-For has Private network address. (Say 192.168.1.1)
I know GeoIP on private network would fail but the X-Forwarded-For also
has
the public IP along with Private IP.
Eg : 192.168.1.1, 115.97.213.63 - - [Timezone] …
In some cases where multiple proxies are involved it would show :
192.168.1.1, 115.97.213.63, 115.97.213.12 - -
I want GeoIP should be done on the first non private ip. I could achieve
this in apache using GeoIP module directive called
“FirstNonPrivateXForwardedForIP”
But this needs a list of subnets / networks to be whitelisted first as a
trusted source. I do not (Can not) have a list of such networks as they
can
be intermediate proxy of any company. Eg : Google chrome on smartphone
uses
Google compression proxy in between before reaching the actual server
where
website is hosted. Opera mini also does the same and similarly don’t
know
who all does it. So I can not have a list of all trusted networks.
I’ve also come across an issue where someone sitting behind a proxy.
(Eg:
Squid on local network) and browse internet then the first IP from left
is
LAN IP (Private network address) and then the public IP follows. Here
GeoIP
country detection fails.
I need a way where I can tell nginx that it should do GeoIP on the First
Public IP from left. Currently due to private address at the first place
GeoIP fails and country is not detected.
who all does it. So I can not have a list of all trusted networks.
You cannot trust X-F-F headers of untrusted third party networks and
proxies,
otherwise everyone can spoof whatever remote IP they want.
Can someone please look into this… I need it for proper website
functionality.
I don’t know the answer to your problem and perhaps, given the lack of
reply, no one on this public mailing list mainly populated by non-nginx
staff does either.
If your business has an immediate, pressing need for support, you may
wish
to take advantage of the professional services nginx offer:
Well I can not comment regarding getting professional service. Infact I
will
be glad to have support but If I go with this approach then I would
rather
be asked to use web server which supports the said feature. (This is
doable
in apache). And I really don’t want to do away with Nginx.
With lack of reply I understand this isn’t possible in nginx at the
moment
but I hope this is taken as feature request so that I can use it in
nginx
and does not have to rely on other web server.
With lack of reply I understand this isn’t possible in nginx at the
moment
but I hope this is taken as feature request so that I can use it in
nginx
and does not have to rely on other web server.
The chances are it’s probably possible, however this mailing list/forum
has a limited subset of nginx users available to assist.
I’m not sure why you have the requirement to use the XFF header to get
geoip, but have you looked at the realip module http://nginx.org/en/docs/http/ngx_http_realip_module.html. My first
thought would be to configure it to ignore RFC1918 addresses so the real
IP would in theory become a true IP which geoip could then use for
locating the user.
I have a piwik install on nginx, behind varnish with another nginx
instance doing SSL termination. Using realip to detect the user’s
location seems to have done the trick.
some time ago I had a similar issue and I grab some parts of nginx
internals
modules and did one specific to me.
My issue was to use the first XForwardedFor IP, but only when the client
address was the Google Chrome Proxy.
I don’t know if this is the best approach,
but I check the client ip using the reverse dns and, if the ip came from
Google,
I change it for the first ip on XFowardedFor header.
Doing that, the GeoIP module can be executed with the “real ip” instead
of
the Google.