How to beat $remote_addr in allow?

N

nikitasius2014-11-29 03:25:52

Nginx

nikitasius, 2014-11-29 03:25:52

Good evening.
nginx is built with the "ngx_http_realip_module" module.
Access config says:

allow  127.0.0.1;
[allow на ipv4 и ipv6 сервера]
allow  199.27.128.0/21;
[allow на другие подсети cloudflare];
deny all;

Then there are lines (in the config above the lines with allow):

set_real_ip_from  199.27.128.0/21;
[set_real_ip_from  другие подсети cloudflare];
real_ip_header     CF-Connecting-IP;

I see in the logs that nginx correctly determines the client's ip from the header that is passed to it from the cloudflare servers, but the client gets 403, since the client's ip is not included in the ip specified in the allow section.
I tried to play with either:
allow $remote_addr;(since the client's ip is stored here)
or

set $newuserip $remote_addr;
allow $newuserip;

In both cases, nginx writes
nginx: [emerg] invalid parameter "$newuserip " in
nginx: [emerg] invalid parameter "$remote_addr" in
Is it possible to somehow beat the current ip of the client in the allow section (make it dynamic)?
This is necessary to: * see the actual ip from the logs.
* I already see it as a header, but it needs to be "beautiful".

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

N

neolink, 2014-11-29
@neolink

close port 80 with iptables

E

Eugene, 2014-12-07
@Nc_Soft

Just change the log format.
By the way, I have a question about cdn cloudflare: I noticed that while the file is downloaded by the first requester and it is uploaded to the cdn cache, no one else can download it. Connections per file just hang and wait. Then it is already distributed with cloudflare and everything is fine.
Have you experienced this? How are files thrown into the cache for you?