Nginx set_real_ip_from AWS ELB load balancer address

Question

I have a set of Nginx servers behind an Amazon ELB load balancer. I am using set_real_ip (from the HttpRealIpModule) so that I can access the originating client IP address on these servers (for passing through to php-fpm and for use in the HttpGeoIPModule).

It seems that set_real_ip_from in the nginx configuration can only accept an IP address. However, with regard to ELB machines Amazon say:

Note: Because the set of IP addresses associated with a LoadBalancer can change over time, you should never create an "A" record with any specific IP address. If you want to use a friendly DNS name for your LoadBalancer instead of the name generated by the Elastic Load Balancing service, you should create a CNAME record for the LoadBalancer DNS name, or use Amazon Route 53 to create a hosted zone. For more information, see the Using Domain Names With Elastic Load Balancing

But if I need to input an IP address I can't use a CNAME (either amazon's or my own). Is there a solution to this problem?

score 54 · Accepted Answer · answered Nov 16 '11 at 16:25

54

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

answered Nov 16 '11 at 16:25

kolbyjack

7,854
2
34
29

2

Thanks - I didn't realise I could add an IP range there... I'll check if there is a more specific range that the ELB could be on (I think `10.0.0.1/8` would work although there may be something more specific) – vitch Nov 16 '11 at 17:32
I added a follow up question to find out if anyone knows the valid range: http://serverfault.com/questions/331697/ip-range-for-internal-private-ip-of-amazon-elb – vitch Nov 16 '11 at 18:52
If it's a VPC ALB, your range(s) is(are) the same as your subnet ranges of which the LB is a part. – talonx Sep 12 '18 at 07:22
Note that if you **cannot** guarantee that all requests will be coming from ELB, you are vulnerable to IP spoofing, which enables attackers to bypass IP-based rate limiting trivially: `curl -H 'X-Forwarded-For: 127.0.0.1' https://website`. To avoid this, you can use ALB VPC's private IP address range instead (assuming you trust all your servers within that VPC). – Sumit Nov 04 '20 at 05:28

score 18 · Answer 2 · answered Feb 16 '15 at 20:13

18

Today's best practice is to use VPC, so, then, you will know the exact CIDR for your ELB. Then, you can add something like this to your Nginx configuration file:

real_ip_header X-Forwarded-For;
set_real_ip_from 10.0.0.0/8;

answered Feb 16 '15 at 20:13

nikolay

281
2
4

Seeing as the question is from 2011 it's possible that option wasn't available then. I just include all possible private networks since outside users won't get to them easily. – Jordan Reiter Jun 22 '16 at 20:14

score 11 · Answer 3 · answered Jul 31 '15 at 16:01

11

Use the VPC CIDR for set_real_ip_from You can find it in Amazon console under VPC => Your VPC (replace <your VPC CIDR here> with it):

real_ip_header X-Forwarded-For;
set_real_ip_from <your VPC CIDR here>;

answered Jul 31 '15 at 16:01

Alexander Paramonov

211
2
3

score 5 · Answer 4 · answered Mar 12 '19 at 16:28

The realip_module states that in case of X-Forwarded-For, this module uses the last ip address in the X-Forwarded-For header for replacement. This module will not work when only real_ip_header and set_real_ip_form are set. This is because this module will use a proxy IP address instead of a client IP. To solve this real_ip_recursive directive should be enabled.

Further, if you have SSL certificates that are deployed and renewed on the instance (like say letsencrypt or certbot certificates). These certificate authorities might try to validate those certificates via IPV6.

So it is important to also have IPV6. So the Nginx config file should also contain set_real_ip_from IPV6 address.

real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from <your VPC IPV4 CIDR here>;
set_real_ip_from <your VPC IPV6 CIDR here>;

if additional security resitrictions apply, we may also need to include set_real_ip_from VPC CIDR (both IPV4 and IPV6) for cloudfront/elb/ec2 subnets.

score 4 · Answer 5 · edited Apr 13 '17 at 12:14

4

Setting the trusted range to 0.0.0.0/0 on Amazon ELB is for sure going to get you into trouble. You can guarantee that the requests comes from the ELB if you can configure the security group for your nginx server, but the original request will originate from any possible source (Amazon ELBs are public interfaces).

A simple test will reveal this:

curl --header "X-Forwarded-For: 1.2.3.4" "http://your-elb-dns-address/"

The logs on your nginx server will then show 1.2.3.4 as the real IP, which is a spoofed one. See IP Range for internal private IP of Amazon ELB for better answers.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 23 '13 at 07:59

Even André Fiskvik

41
4

3

This would only be an issue if you set [real_ip_recursive](http://nginx.org/r/real_ip_recursive) on, which isn't the default, and didn't even exist when I originally answered the question. – kolbyjack May 09 '14 at 11:41

Nginx set_real_ip_from AWS ELB load balancer address

5 Answers5

Linked