I want add block IP address into nginx configure.But it still can be accessed using curl !
...
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent $request_time "$http_referer" '
'"$http_user_agent" REALIP"$http_x_forwarded_for"';
location / {
include /usr/local/nginx/blockip.conf;
root html;
index index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
...
the blockip.conf
deny 1.2.3.4;
deny 3.4.5.6;
There are two situations here.
1.Point to server directly using domain name (A record),blockip can work well.
2.When add ddos defence server,nginx deny rule not working anymore!
But I can get real IP from the nginx-access-log. Here logs example:
defence-server-IP - - [23/Mar/2020:14:15:59 +0800] "GET /walle HTTP/1.1" 404 1079 0.001 "-" "curl/7.58.0" REALIP"1.2.3.4"
defence-server-IP - - [23/Mar/2020:14:16:07 +0800] "GET /walle HTTP/1.1" 404 1079 0.000 "-" "curl/7.58.0" REALIP"3.4.5.6"
solution
By the way.I change nginx to openresty
server {
...
set_real_ip_from defence-server-ip-ranges/24;
...
real_ip_header X-Forwarded-For;
include /usr/local/nginx/blockip.conf;
location {...}
...
}