How do I deny access by source IP when behind Amazon ELB or other proxy

nginx

Nginx has a nice feature that enables you to restrict access to resources by source IP address.

However, I've noticed that may not work in situation where nginx is behind a proxy or load balancer. In my case the Amazon ELB.

I want to provide a status page for datadog agent and the Amazon ELB health checks. So I want to allow local connections and those from the ELB but deny everything else.

The following does not work as expected as it allows traffic originating outside the ELB to access the status page as well. The reason being because the IP will appear to originate from the ELB and the allow rules don't look at the headers to determine the real source of the request. Is there a way to tell nginx what source IP to use to determine allow/deny rules?

location /status {
    stub_status;
    access_log off;
    allow 127.0.0.1;
    allow 10.0.0.0/16;
    deny all;
}

As pointed out by Michael Hampton. I can use the Real IP Module. I wasn't aware of it.

The following worked.

http { 
    real_ip_header X-Forwarded-For;
    set_real_ip_from 0.0.0.0/0;
}

Related

Azure VM change OS Disk
Do AWS Servers need fail2ban?
Can't start docker on Ubuntu 14.04: Job failed to start
AWS Cloudfront + Load Balancer, url changes from main domain to load balancer subdomain
Cannot enable cgroup_enable=memory swapaccount=1 on GCE Debian Jessie instance
Google Cloud HTTPS Loadbalance, how to force http to https
systemd-journald Doesn't start at all
Windows 10 network stack is truncating TCP packets
Who first used the term "bit rot"?
Which usage of the word "Gravity" came first? [closed]
Which dash should be used to indicate "None", "No Answer", or "Not Applicable"? [closed]
To hyphenate borne, or not to hyphenate borne? [duplicate]