How do I deny access by source IP when behind Amazon ELB or other proxy
Nginx has a nice feature that enables you to restrict access to resources by source IP address.
However, I've noticed that may not work in situation where nginx is behind a proxy or load balancer. In my case the Amazon ELB.
I want to provide a status page for datadog agent and the Amazon ELB health checks. So I want to allow local connections and those from the ELB but deny everything else.
The following does not work as expected as it allows traffic originating outside the ELB to access the status page as well. The reason being because the IP will appear to originate from the ELB and the allow rules don't look at the headers to determine the real source of the request. Is there a way to tell nginx what source IP to use to determine allow/deny rules?
location /status {
stub_status;
access_log off;
allow 127.0.0.1;
allow 10.0.0.0/16;
deny all;
}
As pointed out by Michael Hampton. I can use the Real IP Module. I wasn't aware of it.
The following worked.
http {
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
}