Code development platform for open source projects from the European Union institutions 🔵 EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content

🔧 Use `ngx_http_realip` module

David Jose DELASSUSrequested to merge
proxy-realip-mod into main

Decision Record

The X-Forwarded-For HTTP header contain a list of IP addresses, for example:

<real client ip address>, <waf ip address>, <load balancer ip address>, ...
1.2.3.4, 192.168.2.70

The ngx_http_realip module sets the $remote_addr variable to the value of the last untrusted IP from this list:

real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from 192.168.2.0/24;

The snippet above will therefore set the IP 1.2.3.4 in $remote_addr, 192.168.2.70 being in the trusted IP range. Once $remote_addr has the correct value, we can use allow and deny directive again.

In theory, the trusted IP addresses should always be in the range 192.168.2.0/24. But let's make it a configuration variable just to be sure.

Changes

  • Add EC_RPS_TRUSTED_IPS configuration variable
  • 🔥 🔧 Remove use of geo to match X-Forwarded-For
  • 🔧 Configure Proxy with ngx_http_realip module
  • 🔧 Use allow / deny directives instead of geo
  • 🔖 v0.13.0
Edited by David Jose DELASSUS

Merge request reports

For further information about the platform and support, please see https://code.europa.eu/info/about