Forwarding Real-IP Nginx - Question


#1

In the blog post Forwarding Real-IP Nginx, it mentions that the

set_real_ip_from can either be set to

set_real_ip_from 0.0.0.0/0;

or the address of the load balancer, eg:

set_real_ip_from 1.2.3.4;, for security.

We have multiple clusters, each with a different load balancer, however, the configuration is shared. This makes it difficult to set the specific IP address for each cluster. Is it possible to limit this IP to just internal IP addresses, eg.

set_real_ip_from 10.0.0.0/8;

How secure would this be? It doesn’t allow any IP, but it is not very specific either.

What security risks are there?

Thanks,

Steve


#2

That article is not about security.

set_real_ip is used when nginx is running behind proxy and want applications to see real visitors IP rathern than IP of front-end machine. It will not block or filter any kind of traffic based on IP addresses.

A valid use case is when your nginx site is using cloudflare. Sample - https://support.cloudflare.com/hc/en-us/articles/200170706-Does-CloudFlare-have-an-IP-module-for-Nginx-

If you want to allow/deny traffic from particular IP, please use http://wiki.nginx.org/HttpAccessModule


#3

I realise that. That's what I am trying to do, I'm just saying that I cannot use the specific IP address of my load balancer, so is it acceptable to use set_real_ip_from 10.0.0.0/8;, or is that just as insecure as setting any address with set_real_ip_from 0.0.0.0/0;?


#4

If you have all machines in a private LAN, you may use set_real_ip_from 10.0.0.0/8 safely assuming that all machines have 10.0.0.0/8 private-ip in LAN.

If not, I will recommend using set_real_ip_from multiple times, like...

set_real_ip_from 10.1.2.4 set_real_ip_from 10.2.3.5 set_real_ip_from 10.2.3.6


#5