Welcome! Log In Create A New Profile

Advanced

Allow and Deny IP's

Posted by Kaushal Shriyan 
Kaushal Shriyan
Allow and Deny IP's
February 05, 2018 07:30PM
Hi,

When i run this curl call -> curl -X GET http://13.127.165.226/ -H
'cache-control: no-cache' -H 'postman-token:
2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'

Ideally the request should not be allowed and the access log should report
403 instead of 200
I get 200 OK in the access.log

location / {
proxy_set_header X-Forwarded-For $remote_addr;
allow 182.76.214.126/32;
allow 116.75.80.47/32;
deny all;
error_page 404 /404.html;
location = /40x.html {
}

Please let me know if i am missing anything.

Best Regards,

Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ph. Gras
Re: Allow and Deny IP's
February 06, 2018 01:10AM
Hello there!


location ~* wp-login\.php$ {
allow 127.0.0.1;
allow A.B.C.D; // My server's IP
allow E.F.G.H/13; // The IP range where I am
deny all;
if ($http_user_agent = "-") { return 403;}
if ($http_user_agent = "") { return 403;}
if ($http_referer = "-") { return 403;}
if ($http_referer = "") { return 403;}
limit_conn limit 5;
}

185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
81.177.126.235 - - [05/Feb/2018:22:08:21 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
81.177.126.235 - - [05/Feb/2018:22:08:22 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.26.90.3 - - [06/Feb/2018:00:20:10 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.26.90.3 - - [06/Feb/2018:00:20:11 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"

Me too :-(

Ph. Gras

> Hi,
>
> When i run this curl call -> curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'
>
> Ideally the request should not be allowed and the access log should report 403 instead of 200
> I get 200 OK in the access.log
>
> location / {
> proxy_set_header X-Forwarded-For $remote_addr;
> allow 182.76.214.126/32;
> allow 116.75.80.47/32;
> deny all;
> error_page 404 /404.html;
> location = /40x.html {
> }
>
> Please let me know if i am missing anything.
>
> Best Regards,
>
> Kaushal
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Kaushal Shriyan
Re: Allow and Deny IP's
February 06, 2018 04:00PM
On Tue, Feb 6, 2018 at 5:32 AM, Ph. Gras <[email protected]> wrote:

> Hello there!
>
>
> location ~* wp-login\.php$ {
> allow 127.0.0.1;
> allow A.B.C.D; // My server's IP
> allow E.F.G.H/13; // The IP range where I am
> deny all;
> if ($http_user_agent = "-") { return 403;}
> if ($http_user_agent = "") { return 403;}
> if ($http_referer = "-") { return 403;}
> if ($http_referer = "") { return 403;}
> limit_conn limit 5;
> }
>
> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php
> HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0)
> Gecko/20100101 Firefox/34.0"
> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "POST /wp-login.php
> HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0
> (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
> 81.177.126.235 - - [05/Feb/2018:22:08:21 +0100] "GET /wp-login.php
> HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0)
> Gecko/20100101 Firefox/34.0"
> 81.177.126.235 - - [05/Feb/2018:22:08:22 +0100] "POST /wp-login.php
> HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0
> (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
> 109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "GET /wp-login.php
> HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0)
> Gecko/20100101 Firefox/34.0"
> 109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "POST /wp-login.php
> HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0
> (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
> 95.26.90.3 - - [06/Feb/2018:00:20:10 +0100] "GET /wp-login.php HTTP/1.1"
> 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101
> Firefox/34.0"
> 95.26.90.3 - - [06/Feb/2018:00:20:11 +0100] "POST /wp-login.php HTTP/1.1"
> 200 1688 "http://www.example.com/wp-login.php"; "Mozilla/5.0 (Windows NT
> 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>
> Me too :-(
>
> Ph. Gras
>
> > Hi,
> >
> > When i run this curl call -> curl -X GET http://13.127.165.226/ -H
> 'cache-control: no-cache' -H 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a'
> -H 'x-forwarded-for: 12.12.12.13.11'
> >
> > Ideally the request should not be allowed and the access log should
> report 403 instead of 200
> > I get 200 OK in the access.log
> >
> > location / {
> > proxy_set_header X-Forwarded-For $remote_addr;
> > allow 182.76.214.126/32;
> > allow 116.75.80.47/32;
> > deny all;
> > error_page 404 /404.html;
> > location = /40x.html {
> > }
> >
> > Please let me know if i am missing anything.
> >
> > Best Regards,
> >
> > Kaushal
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Hi,

Checking in if anyone can pitch in for help for my post to this mailing
list.

Thanks in Advance.

Best Regards,

Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: Allow and Deny IP's
February 07, 2018 01:00AM
On Tue, Feb 06, 2018 at 01:02:22AM +0100, Ph. Gras wrote:

Hi there,

> location ~* wp-login\.php$ {

> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"

> Me too :-(

Have you any reason to believe that this location is used to handle this request?

$ nginx -T | grep 'server\|location'

will possibly give a useful hint in that direction.

For what it is worth, if I use:

==
server {
listen 8888;
location /x/ {
allow 127.0.0.1;
deny all;
}
}
==

then

$ curl -i http://127.0.0.1:8888/x/

gives me http 200 (html/x/index.html exists), while

$ curl -i http://127.0.0.2:8888/x/

gives me http 403.

So - "works for me". What do you see, when you test that?

What parts of your current config do you have to add, in order for that
test to fail for you?

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: Allow and Deny IP's
February 07, 2018 01:10AM
On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:

Hi there,

> When i run this curl call -> curl -X GET http://13.127.165.226/ -H
> 'cache-control: no-cache' -H 'postman-token:
> 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'
>
> Ideally the request should not be allowed and the access log should report
> 403 instead of 200

Why should it not be allowed?

What IP address are you making the request from?

> I get 200 OK in the access.log
>
> location / {
> proxy_set_header X-Forwarded-For $remote_addr;
> allow 182.76.214.126/32;
> allow 116.75.80.47/32;
> deny all;
> error_page 404 /404.html;
> location = /40x.html {
> }
>
> Please let me know if i am missing anything.

Your config fragment is incomplete. But when I use something similar,
I get the expected http 200 from an address in the "allow" list, and
the expected http 403 from an address not in the "allow" list.

The output of "nginx -V" might be interesting, in case you are using a
version that has broken allow/deny handling.

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Kaushal Shriyan
Re: Allow and Deny IP's
February 07, 2018 05:30PM
On Wed, Feb 7, 2018 at 5:32 AM, Francis Daly <[email protected]> wrote:

> On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:
>
> Hi there,
>
> > When i run this curl call -> curl -X GET http://13.127.165.226/ -H
> > 'cache-control: no-cache' -H 'postman-token:
> > 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for:
> 12.12.12.13.11'
> >
> > Ideally the request should not be allowed and the access log should
> report
> > 403 instead of 200
>
> Why should it not be allowed?
>

Hi Francis,

In the curl request I am adding http header -H 'x-forwarded-for:
12.12.12.13.11'

curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H
> 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H
> 'x-forwarded-for: 12.12.12.13.11'


IP :- 12.12.12.13.11 should be denied with 403

Please let me know if i am missing anything.

Best Regards,

Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: Allow and Deny IP's
February 07, 2018 05:40PM
On Wed, Feb 07, 2018 at 09:57:04PM +0530, Kaushal Shriyan wrote:
> On Wed, Feb 7, 2018 at 5:32 AM, Francis Daly <[email protected]> wrote:
> > On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:

Hi there,

> In the curl request I am adding http header -H 'x-forwarded-for:
> 12.12.12.13.11'
>
> curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H
> > 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H
> > 'x-forwarded-for: 12.12.12.13.11'
>
>
> IP :- 12.12.12.13.11 should be denied with 403
>
> Please let me know if i am missing anything.

No part of your config that I can see says to use the contents of the
x-forwarded-for header to determine whether the request should be allowed
or denied.

Is that in a part of the configuration that you did not show?

(Also: 12.12.12.13.11 is not an IP address.)

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ph. Gras
Re: Allow and Deny IP's
February 07, 2018 07:30PM
Hi Francis,

>> location ~* wp-login\.php$ {
>
>> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>
>> Me too :-(
>
> Have you any reason to believe that this location is used to handle this request?

Yes, and this especially since before, it worked as expected :-(

>
> $ nginx -T | grep 'server\|location'
>
> will possibly give a useful hint in that direction.

# nginx -T | grep "www.example.com/wp-login.php"
nginx: invalid option: "T"

Is something missing ?

# apt-show-versions | grep nginx
nginx:all/jessie 1.6.2-5+deb8u5 uptodate
nginx-common:all/jessie 1.6.2-5+deb8u5 uptodate
nginx-full:amd64/jessie 1.6.2-5+deb8u5 uptodate
python-certbot-nginx:all/jessie-backports 0.10.2-1~bpo8+1 uptodate

Thank your for your help,

Ph. Gras
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Jason Whittington
Re: Allow and Deny IP's
February 07, 2018 09:20PM
I find that add_header always works well to verify that the location is being chosen the way you think.

Try something like

add_header X-NGINX-Route <foobar> always;

to some of your location blocks and specify different distinct values for <foobar>.

Then in your browser you can use F12 tools to verify that you are getting back the header you expected.

Jason


-----Original Message-----
From: nginx [mailto:[email protected]] On Behalf Of Ph. Gras
Sent: Wednesday, February 07, 2018 12:29 PM
To: nginx@nginx.org
Subject: [IE] Re: Allow and Deny IP's

Hi Francis,

>> location ~* wp-login\.php$ {
>
>> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>
>> Me too :-(
>
> Have you any reason to believe that this location is used to handle this request?

Yes, and this especially since before, it worked as expected :-(

>
> $ nginx -T | grep 'server\|location'
>
> will possibly give a useful hint in that direction.

# nginx -T | grep "www.example.com/wp-login.php"
nginx: invalid option: "T"

Is something missing ?

# apt-show-versions | grep nginx
nginx:all/jessie 1.6.2-5+deb8u5 uptodate nginx-common:all/jessie 1.6.2-5+deb8u5 uptodate nginx-full:amd64/jessie 1.6.2-5+deb8u5 uptodate python-certbot-nginx:all/jessie-backports 0.10.2-1~bpo8+1 uptodate

Thank your for your help,

Ph. Gras
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ph. Gras
Re: Allow and Deny IP's
February 07, 2018 11:50PM
Hmmm!

>>> location ~* wp-login\.php$ {
>>
>>> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>>
>>> Me too :-(
>>
>> Have you any reason to believe that this location is used to handle this request?
>
> Yes, and this especially since before, it worked as expected :-(

You're right. It's working better with a / before path :-)

location =/wp-login.php {
# etc;
}

Thanks for all,

Ph. Gras
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Francis Daly
Re: Allow and Deny IP's
February 08, 2018 09:30AM
On Wed, Feb 07, 2018 at 07:28:37PM +0100, Ph. Gras wrote:

Hi there,

> >> location ~* wp-login\.php$ {
> >
> >> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
> >
> >> Me too :-(
> >
> > Have you any reason to believe that this location is used to handle this request?
>
> Yes, and this especially since before, it worked as expected :-(

I see in other mail that that has become fixed -- probably this location
was not being used for this request, owing to an earlier "location ~
php", or something else that was changed since it had been working before.

> > $ nginx -T | grep 'server\|location'
> >
> > will possibly give a useful hint in that direction.
>
> # nginx -T | grep "www.example.com/wp-login.php"
> nginx: invalid option: "T"

I actually meant literally "grep 'server\|location'", to show the
server{} blocks (and server_name directives) and the location directives
in your config, which might be enough to show which location{} is used
for one request.

But your nginx version is from before "-T" was added, so you would have
to look in the config file (and any include:d files) directly, and there
isn't a simple one-liner to do that.

And now that it works for you, it is not important any more :-)

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login