Nginx - Allowing origin IP
Nginx supports allow and deny syntax to restrict IPs, e.g. allow 192.168.1.1;. But if traffic goes through a reverse proxy, the IP will refer to the proxy's IP. So how can it be configured to whitelist a specific origin IP and deny all other incoming requests?
Answer
remote_addr will refer to the proxy, but you can configure the proxy to send the client address with header fields X-Real-IP/X-Forwarded-For.
Combined with the ngx_http_realip module, you can modify the incoming header to use the real client address for remote_addr. I believe this will work as expected with allow/deny syntax.
Just to clarify -- allow/deny syntax should be identical after enabling and configuring the module. Substitute your IP and your proxy addresses below.
Back-end nginx allow/deny:
location / {
allow <your ip>;
allow 127.0.0.1;
deny all;
}
Back-end nginx realip configuration:
set_real_ip_from <your proxy>;
real_ip_header X-Forwarded-For;
On your nginx proxy configuration:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
If you have multiple intermediate proxies involved, you'll need to enable real_ip_recursive and whitelist additional addresses with the set_real_ip_from directive.