Welcome! Log In Create A New Profile

Advanced

GeoIP Module for Blocking IP in http_x_forwarded_for

Posted by anish10dec 
anish10dec
GeoIP Module for Blocking IP in http_x_forwarded_for
January 11, 2018 01:20PM
GeoIP module is able to block request on basis of remote address which is IP
of the remote device or user but not on basis of X-Forwarded-For IP if it
has multiple IP address in it.

There is Frontend Server( Server A) which receives the request and send it
to Intermediate Server (Server B)
We have GeoIP module installed on Intermediate Server i.e. Server B


Server B <--- Server A <---- User

When Server B , receives the request from Server A, remote address
(remote_addr) for Server B is IP of Server A.
Device/User IP is in http_x_forwarded_for field .
If http_x_forwarded_for has single IP in it GeoIP module is able to block
the IP on the basis of blocking applied.

If http_x_forwarded_for has multiple IP i.e IP of User as well as IP of some
Proxy Server or IP of Server A, then its not able to block the request.

Below is the configuration :

geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_proxy IP_OF_ServerA; // GeoIP module ignores remote_addr
considering it as trusted and refers to X-Forwarded For

map $geoip_country_code $allowed_country {
default no;
US yes;
}

http_x_forwarded_for = { User IP of UK } - Request from this IP is getting
blocked

http_x_forwarded_for = { User IP of UK , Proxy IP of US } - This request
is not getting blocked

http_x_forwarded_for = { User IP of UK , IP of Server A } - This request
is not getting blocked

It seems nginx GeoIP Module refers to Last IP in http_x_forwarded_for field
for applying the blocking method.

Is there a way to check for First IP Address in http_x_forwarded_for for
blocking the request ?

Please suggest

Please refer this for Solution in Apache
https://dev.maxmind.com/geoip/legacy/mod_geoip2/

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278110,278110#msg-278110

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: GeoIP Module for Blocking IP in http_x_forwarded_for
January 11, 2018 03:20PM
Hello!

On Thu, Jan 11, 2018 at 07:17:20AM -0500, anish10dec wrote:

> GeoIP module is able to block request on basis of remote address which is IP
> of the remote device or user but not on basis of X-Forwarded-For IP if it
> has multiple IP address in it.
>
> There is Frontend Server( Server A) which receives the request and send it
> to Intermediate Server (Server B)
> We have GeoIP module installed on Intermediate Server i.e. Server B
>
>
> Server B <--- Server A <---- User
>
> When Server B , receives the request from Server A, remote address
> (remote_addr) for Server B is IP of Server A.
> Device/User IP is in http_x_forwarded_for field .
> If http_x_forwarded_for has single IP in it GeoIP module is able to block
> the IP on the basis of blocking applied.
>
> If http_x_forwarded_for has multiple IP i.e IP of User as well as IP of some
> Proxy Server or IP of Server A, then its not able to block the request.
>
> Below is the configuration :
>
> geoip_country /usr/share/GeoIP/GeoIP.dat;
> geoip_proxy IP_OF_ServerA; // GeoIP module ignores remote_addr
> considering it as trusted and refers to X-Forwarded For
>
> map $geoip_country_code $allowed_country {
> default no;
> US yes;
> }
>
> http_x_forwarded_for = { User IP of UK } - Request from this IP is getting
> blocked
>
> http_x_forwarded_for = { User IP of UK , Proxy IP of US } - This request
> is not getting blocked
>
> http_x_forwarded_for = { User IP of UK , IP of Server A } - This request
> is not getting blocked
>
> It seems nginx GeoIP Module refers to Last IP in http_x_forwarded_for field
> for applying the blocking method.

This is what X-Forwarded-For header format assumes: IP addresses
are added to the end of the list. As such, the last address is
the only one you can trust in the above configuration.

That is, a request with

X-Forwarded-For: IP1, IP2, IP3

as got from Server A doesn't mean that you've got a request from
IP1 forwarded to you via various proxies. It instead means that
Server A got the request from IP3 with "X-Forwarded-For: IP1, IP2"
already present in the request. Nothing guarantees that IP1 and
IP2 are real addresses - they can be easily faked by the client,
or they can be internal addresses in the client network.

> Is there a way to check for First IP Address in http_x_forwarded_for for
> blocking the request ?

If you really want to, you can do so using the
geoip_proxy_recursive directive and configuring the geoip_proxy to
trust the whole world, see here:

http://nginx.org/r/geoip_proxy_recursive

Note though that this is generally not secure as the address can
be easily forged, see above.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Jason Whittington
RE: [IE] GeoIP Module for Blocking IP in http_x_forwarded_for
January 11, 2018 04:50PM
If you control Frontend Server A I would suggest not using X-Forwarded-For for this purpose. Can you have the front end server send a distinct header to server B? X-Real-IP would be a good choice of header. Then Server B could key off that header instead of XFF.

You might find this page interesting:

https://distinctplace.com/2014/04/23/story-behind-x-forwarded-for-and-x-real-ip-headers/

Jason


-----Original Message-----
From: nginx [mailto:[email protected]] On Behalf Of anish10dec
Sent: Thursday, January 11, 2018 6:17 AM
To: nginx@nginx.org
Subject: [IE] GeoIP Module for Blocking IP in http_x_forwarded_for

GeoIP module is able to block request on basis of remote address which is IP of the remote device or user but not on basis of X-Forwarded-For IP if it has multiple IP address in it.

There is Frontend Server( Server A) which receives the request and send it to Intermediate Server (Server B) We have GeoIP module installed on Intermediate Server i.e. Server B


Server B <--- Server A <---- User

When Server B , receives the request from Server A, remote address
(remote_addr) for Server B is IP of Server A.
Device/User IP is in http_x_forwarded_for field .
If http_x_forwarded_for has single IP in it GeoIP module is able to block the IP on the basis of blocking applied.

If http_x_forwarded_for has multiple IP i.e IP of User as well as IP of some Proxy Server or IP of Server A, then its not able to block the request.

Below is the configuration :

geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_proxy IP_OF_ServerA; // GeoIP module ignores remote_addr
considering it as trusted and refers to X-Forwarded For

map $geoip_country_code $allowed_country {
default no;
US yes;
}

http_x_forwarded_for = { User IP of UK } - Request from this IP is getting blocked

http_x_forwarded_for = { User IP of UK , Proxy IP of US } - This request is not getting blocked

http_x_forwarded_for = { User IP of UK , IP of Server A } - This request is not getting blocked

It seems nginx GeoIP Module refers to Last IP in http_x_forwarded_for field for applying the blocking method.

Is there a way to check for First IP Address in http_x_forwarded_for for blocking the request ?

Please suggest

Please refer this for Solution in Apache https://dev.maxmind.com/geoip/legacy/mod_geoip2/

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278110,278110#msg-278110

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
anish10dec
Re: GeoIP Module for Blocking IP in http_x_forwarded_for
January 17, 2018 01:40PM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Thu, Jan 11, 2018 at 07:17:20AM -0500, anish10dec wrote:
>
> > GeoIP module is able to block request on basis of remote address
> which is IP
> > of the remote device or user but not on basis of X-Forwarded-For IP
> if it
> > has multiple IP address in it.
> >
> > There is Frontend Server( Server A) which receives the request and
> send it
> > to Intermediate Server (Server B)
> > We have GeoIP module installed on Intermediate Server i.e. Server B
> >
> >
> > Server B <--- Server A <---- User
> >
> > When Server B , receives the request from Server A, remote address
> > (remote_addr) for Server B is IP of Server A.
> > Device/User IP is in http_x_forwarded_for field .
> > If http_x_forwarded_for has single IP in it GeoIP module is able to
> block
> > the IP on the basis of blocking applied.
> >
> > If http_x_forwarded_for has multiple IP i.e IP of User as well as IP
> of some
> > Proxy Server or IP of Server A, then its not able to block the
> request.
> >
> > Below is the configuration :
> >
> > geoip_country /usr/share/GeoIP/GeoIP.dat;
> > geoip_proxy IP_OF_ServerA; // GeoIP module ignores
> remote_addr
> > considering it as trusted and refers to X-Forwarded For
> >
> > map $geoip_country_code $allowed_country {
> > default no;
> > US yes;
> > }
> >
> > http_x_forwarded_for = { User IP of UK } - Request from this IP is
> getting
> > blocked
> >
> > http_x_forwarded_for = { User IP of UK , Proxy IP of US } - This
> request
> > is not getting blocked
> >
> > http_x_forwarded_for = { User IP of UK , IP of Server A } - This
> request
> > is not getting blocked
> >
> > It seems nginx GeoIP Module refers to Last IP in
> http_x_forwarded_for field
> > for applying the blocking method.
>
> This is what X-Forwarded-For header format assumes: IP addresses
> are added to the end of the list. As such, the last address is
> the only one you can trust in the above configuration.
>
> That is, a request with
>
> X-Forwarded-For: IP1, IP2, IP3
>
> as got from Server A doesn't mean that you've got a request from
> IP1 forwarded to you via various proxies. It instead means that
> Server A got the request from IP3 with "X-Forwarded-For: IP1, IP2"
> already present in the request. Nothing guarantees that IP1 and
> IP2 are real addresses - they can be easily faked by the client,
> or they can be internal addresses in the client network.
>
> > Is there a way to check for First IP Address in http_x_forwarded_for
> for
> > blocking the request ?
>
> If you really want to, you can do so using the
> geoip_proxy_recursive directive and configuring the geoip_proxy to
> trust the whole world, see here:
>
> http://nginx.org/r/geoip_proxy_recursive

geoip_proxy_recursive on;

"If recursive search is disabled then instead of the original client address
that matches one of the trusted addresses, the last address sent in
“X-Forwarded-For” will be used. If recursive search is enabled then instead
of the original client address that matches one of the trusted addresses,
the last non-trusted address sent in “X-Forwarded-For” will be used."

Even enabling this last IP Address is used which is again not able to block
the request as Client IP is at 1st Position.


>
> Note though that this is generally not secure as the address can
> be easily forged, see above.

Agree .

Tried by enabling the Geo IP module on Server A which looks after remote
address field and successfully blocks the request.
But the problem here is that it is even blocking the requests coming from
our Internal Private IP Segment such as 10.0.0.0/27 which are used for
monitoring .

Is there a way to declare few Private IP's or IP Range as trusted address
even though if they are coming under blocked countries ?

Thanks and Regards,
Anish

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278110,278164#msg-278164

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thanks ... We need the Client IP on Server B as well for analytics .


Tried by enabling the Geo IP module on Server A which looks after remote
address field and successfully blocks the request.
But the problem here is that it is even blocking the requests coming from
our Internal Private IP Segment such as 10.0.0.0/27 which are used for
monitoring .

Is there a way to declare few Private IP's or IP Range as trusted address
even though if they are coming under blocked countries ?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278117,278165#msg-278165

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: GeoIP Module for Blocking IP in http_x_forwarded_for
January 17, 2018 03:50PM
Hello!

On Wed, Jan 17, 2018 at 07:33:43AM -0500, anish10dec wrote:

[...]

> > > Is there a way to check for First IP Address in http_x_forwarded_for for
> > > blocking the request ?
> >
> > If you really want to, you can do so using the
> > geoip_proxy_recursive directive and configuring the geoip_proxy to
> > trust the whole world, see here:
> >
> > http://nginx.org/r/geoip_proxy_recursive
>
> geoip_proxy_recursive on;
>
> "If recursive search is disabled then instead of the original client address
> that matches one of the trusted addresses, the last address sent in
> “X-Forwarded-For” will be used. If recursive search is enabled then instead
> of the original client address that matches one of the trusted addresses,
> the last non-trusted address sent in “X-Forwarded-For” will be used."
>
> Even enabling this last IP Address is used which is again not able to block
> the request as Client IP is at 1st Position.

The "configuring the geoip_proxy to trust the whole world" part of
the quote above is important. That is, you have to do something
like this:

geoip_proxy 0.0.0.0/0;
geoip_proxy_recursive on;

This way all addresses in the X-Forwarded-For header will be
trusted, and nginx will use the first address in the
X-Forwarded-For header.

Note again that this is not secure as the address can be easily
forged.

> > Note though that this is generally not secure as the address can
> > be easily forged, see above.
>
> Agree .
>
> Tried by enabling the Geo IP module on Server A which looks after remote
> address field and successfully blocks the request.
> But the problem here is that it is even blocking the requests coming from
> our Internal Private IP Segment such as 10.0.0.0/27 which are used for
> monitoring .
>
> Is there a way to declare few Private IP's or IP Range as trusted address
> even though if they are coming under blocked countries ?

If you are connecting to the server directly from the private
range, you may want to review your blocking policy. Private
addresses shouldn't have a country associated with them, so you
must be blocking them for some other reasons.

If you are connecting to the server via a proxy server in a
otherwise blocked country, you may want to configure nginx to
trust this specific server using the geoip_proxy directive. This
should be more secure than trusting the whole world.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login