Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does this nginx has ngx_http_access_module? #27

Open
gamesover opened this issue Jan 26, 2019 · 2 comments
Open

Does this nginx has ngx_http_access_module? #27

gamesover opened this issue Jan 26, 2019 · 2 comments

Comments

@gamesover
Copy link

gamesover commented Jan 26, 2019
edited
Loading

I am trying to use nginx to whitelist the IPs allowing to access to my heroku app.

by https://serverfault.com/a/844504/506273, for test purpose, I setup the below config for file config/nginx.conf.erb

server {
		listen <%= ENV["PORT"] %>;
		server_name _;
		keepalive_timeout 5;

                deny all;
  
    location / {
                       deny all;

			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header Host $http_host;
			proxy_redirect off;
			proxy_pass http://app_server;
		}
	}

It does not work at all(for rejecting access to my heroku app from all ips).

Any suggestion? Is it due to my issue or something else?

BTW, heroku-buildpack-nginx seems good. My rails frontend is driven by Nginx, except it cannot whitelist the ips.
@gamesover gamesover changed the title Does this nginx respect allow and deny ip rules? Does this nginx has ngx_http_access_module? Jan 26, 2019
@shaneikennedy
Copy link
Contributor

ngx_http_access_module is compiled by default https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#selecting-the-nginx-modules-to-build and since it is not explicitly excluded in scripts/build_nginx it should be included in the buildpack.

@meltingice
Copy link

meltingice commented Apr 29, 2020
edited
Loading

I just ran into this as well. The issue is that nginx is using the Heroku router's IP by default since the router is proxying the request. We need to use the Real IP module (which is included in this buildback) to let nginx know what the actual client IP is. Add it to the server block in the nginx.conf.erb file:

  server {
    listen <%= ENV["PORT"] %>;
    server_name _;
    keepalive_timeout 5;

    # Add the below 2 lines
    real_ip_header X-Forwarded-For;
    set_real_ip_from 0.0.0.0/0;

    # ... rest of your config

Typically you're supposed to whitelist the addresses of your proxy servers, but in this case, we can't know them because of how Heroku works. Setting 0.0.0.0/0 to allow all addresses seems to be working fine for me. Heroku adds what it detects as your IP address onto the end of the X-Forwarded-For header, so by whitelisting all addresses for the Real IP module, that means nginx will use the last address in the X-Forwarded-For header, which is what the Heroku router detected as your IP address.

I added the X-Forwarded-For header to the nginx logging to double check this:

curl --head -H 'X-Forwarded-For: 1.1.1.1' http://example.com

2020-04-29T13:45:54.978269+00:00 app[web.5]: measure#nginx.service=0.726 request_id=e84267b4-733e-4ff2-87ff-84cc97eaeec1 ip=1.1.1.1, 45.27.15.103

Once you do this, you can use allow/deny like you normally would.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@meltingice @gamesover @shaneikennedy