1

I'm running a reverse proxy using proxy_pass directive from ngx_http_proxy_module. I want to forbid access to certain backend IP address ranges (like 172.0.0.0/24). I've tried

if ($upstream_addr ~* "^172.*") {                                     
    return 403;                                                    
}
add_header X-mine "$upstream_addr";

both in server and location context but it doesn't work, i.e. Nginx still returns 200:

$ curl localhost -I
HTTP/1.1 200 OK
Server: nginx/1.17.0
Date: Thu, 13 Feb 2020 12:58:36 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Tue, 24 Sep 2019 14:49:10 GMT
ETag: "5d8a2ce6-264"
Accept-Ranges: bytes
X-mine: 172.20.0.2:80

What am I missing? (Note that I added the content of $upstream_addr variable to X-mine header for debugging.)

jreisinger
  • 1,493
  • 1
  • 10
  • 21
  • The `$upstream_addr` variable seems to be empty when the if condition gets evaluated. I think so because `$upstream_addr = ""` is true. – jreisinger Feb 13 '20 at 14:39

1 Answers1

0

My understanding is that the if directive is run before the upstream request is sent, while the $upstream_addr header is only set after the upstream request has completed. I have tried and failed to find definitive documentation that explains the precise process, but the nginx documentation seems to be missing a number of things that one might wish for.

See this answer, and also If is evil for a little more guidance. I'm not actually sure quite what you're trying to achieve so I can't offer any hope about whether or not it's possible.

Neilski
  • 85
  • 10