I have 6 Nginx servers behind load balancer. Of course, if I just try to "deny" based on IP address it does not work as the app servers just see the load balancer IP.
However, I learned about the Real IP module and I have that enabled in the following way:
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Real-IP;
So, now that I have the X-Real_IP header set correctly, how I can then configure Nginx to use block certain users who's "X-Real-IP" value equals a set of IPs?
That's easy. Nginx's "geo" module lets define a variable with value depending on the client's IP address:
geo $ban_ip {
default 0;
10.1.0.0/24 1;
};
geo directive should be at http level (e.g. outside server). There is a convenient way to include large IP databases via include or ranges, see the documentation
So, assuming you have such a variable, you may return whatever status codes you'd like, e.g. 403 or 404 (at server level or in location):
if ($ban_ip) {
return 403;
}
If you'd like to silently drop the connection, use
if ($ban_ip) {
return 444;
}
444 is a non-standard status code used internally to instruct Nginx to drop the connection. (thus a client does not see it)
There's an Application Firewall 3rd Party module for nginx called naxsi, I think it could handle the problem.
