3

I run nginx webservers behind an elastic load balancer in AWS. The real IP is got through X-Forwarded-For. The issue faced is how to use this to deny all and whitelist only specific sources for particular locations.

Something like: location /test/ { include /etc/nginx/allowed-XForwardedFor.conf; deny all; }

Can I catch the X-Forwarded-For IP's with a variable and then use it in the conf file or in some-way use it with the allow option in locations or do it with the help of an if conditional?

linuxtester
  • 31
  • 2

1 Answers1

3

Use the nginx realip module, and then you don't have to worry about the X-Forwarded-For header; you can just act on IP addresses as if the load balancer wasn't there.

A sample configuration:

http {
        real_ip_header X-Forwarded-For;
        set_real_ip_from 172.19.0.0/16; # Netblock for my ELB's
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I already use the above config in the http {} block but when I try doing a source whitelist on the basis of location like: location /test/ { allow ip; deny all;} it does not work. Hence I was wondering if I could use x-forwarded-for as a variable directly in the location directive. Is there anything else I should be doing or checking? – linuxtester Jul 25 '14 at 05:06
  • Well, you should ask your real question first. It will save you a lot of time :) – Michael Hampton Jul 25 '14 at 05:16
  • Hey, apologize for not being clear enough to be understood :) – linuxtester Jul 25 '14 at 06:13