Allow and Deny IP's

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Allow and Deny IP's

Kaushal Shriyan
Hi,

When i run this curl call -> curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11' 

Ideally the request should not be allowed and the access log should report 403 instead of 200
I get 200 OK in the access.log

  location / {
        proxy_set_header X-Forwarded-For $remote_addr;
        allow   182.76.214.126/32;
        allow   116.75.80.47/32;
        deny all;
        error_page 404 /404.html;
            location = /40x.html {
        }

Please let me know if i am missing anything.

Best Regards,

Kaushal

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Ph. Gras
Hello there!


location ~* wp-login\.php$ {
        allow 127.0.0.1;
        allow A.B.C.D; // My server's IP
        allow E.F.G.H/13; // The IP range where I am
        deny all;
        if ($http_user_agent = "-") { return 403;}
        if ($http_user_agent = "") { return 403;}
        if ($http_referer = "-") { return 403;}
        if ($http_referer = "") { return 403;}
        limit_conn limit 5;
}

185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
81.177.126.235 - - [05/Feb/2018:22:08:21 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
81.177.126.235 - - [05/Feb/2018:22:08:22 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.26.90.3 - - [06/Feb/2018:00:20:10 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.26.90.3 - - [06/Feb/2018:00:20:11 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"

Me too :-(

Ph. Gras

> Hi,
>
> When i run this curl call -> curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'
>
> Ideally the request should not be allowed and the access log should report 403 instead of 200
> I get 200 OK in the access.log
>
>   location / {
>         proxy_set_header X-Forwarded-For $remote_addr;
>         allow   182.76.214.126/32;
>         allow   116.75.80.47/32;
>         deny all;
>         error_page 404 /404.html;
>             location = /40x.html {
>         }
>
> Please let me know if i am missing anything.
>
> Best Regards,
>
> Kaushal
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Kaushal Shriyan


On Tue, Feb 6, 2018 at 5:32 AM, Ph. Gras <[hidden email]> wrote:
Hello there!


location ~* wp-login\.php$ {
        allow 127.0.0.1;
        allow A.B.C.D;          // My server's IP
        allow E.F.G.H/13;               // The IP range where I am
        deny all;
        if ($http_user_agent = "-") { return 403;}
        if ($http_user_agent = "") { return 403;}
        if ($http_referer = "-") { return 403;}
        if ($http_referer = "") { return 403;}
        limit_conn limit 5;
}

185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
81.177.126.235 - - [05/Feb/2018:22:08:21 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
81.177.126.235 - - [05/Feb/2018:22:08:22 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
109.252.93.223 - - [06/Feb/2018:00:20:05 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.26.90.3 - - [06/Feb/2018:00:20:10 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
95.26.90.3 - - [06/Feb/2018:00:20:11 +0100] "POST /wp-login.php HTTP/1.1" 200 1688 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"

Me too :-(

Ph. Gras

> Hi,
>
> When i run this curl call -> curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'
>
> Ideally the request should not be allowed and the access log should report 403 instead of 200
> I get 200 OK in the access.log
>
>   location / {
>         proxy_set_header X-Forwarded-For $remote_addr;
>         allow   182.76.214.126/32;
>         allow   116.75.80.47/32;
>         deny all;
>         error_page 404 /404.html;
>             location = /40x.html {
>         }
>
> Please let me know if i am missing anything.
>
> Best Regards,
>
> Kaushal
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

Hi,

Checking in if anyone can pitch in for help for my post to this mailing list.

Thanks in Advance.

Best Regards,

Kaushal 


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Francis Daly
In reply to this post by Ph. Gras
On Tue, Feb 06, 2018 at 01:02:22AM +0100, Ph. Gras wrote:

Hi there,

> location ~* wp-login\.php$ {

> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"

> Me too :-(

Have you any reason to believe that this location is used to handle this request?

$ nginx -T | grep 'server\|location'

will possibly give a useful hint in that direction.

For what it is worth, if I use:

==
server {
  listen 8888;
  location /x/ {
    allow 127.0.0.1;
    deny all;
  }
}
==

then

$ curl -i http://127.0.0.1:8888/x/

gives me http 200 (html/x/index.html exists), while

$ curl -i http://127.0.0.2:8888/x/

gives me http 403.

So - "works for me". What do you see, when you test that?

What parts of your current config do you have to add, in order for that
test to fail for you?

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Francis Daly
In reply to this post by Kaushal Shriyan
On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:

Hi there,

> When i run this curl call -> curl -X GET http://13.127.165.226/ -H
> 'cache-control: no-cache' -H 'postman-token:
> 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'
>
> Ideally the request should not be allowed and the access log should report
> 403 instead of 200

Why should it not be allowed?

What IP address are you making the request from?

> I get 200 OK in the access.log
>
>   location / {
>         proxy_set_header X-Forwarded-For $remote_addr;
>         allow   182.76.214.126/32;
>         allow   116.75.80.47/32;
>         deny all;
>         error_page 404 /404.html;
>             location = /40x.html {
>         }
>
> Please let me know if i am missing anything.

Your config fragment is incomplete. But when I use something similar,
I get the expected http 200 from an address in the "allow" list, and
the expected http 403 from an address not in the "allow" list.

The output of "nginx -V" might be interesting, in case you are using a
version that has broken allow/deny handling.

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Kaushal Shriyan


On Wed, Feb 7, 2018 at 5:32 AM, Francis Daly <[hidden email]> wrote:
On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:

Hi there,

> When i run this curl call -> curl -X GET http://13.127.165.226/ -H
> 'cache-control: no-cache' -H 'postman-token:
> 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11'
>
> Ideally the request should not be allowed and the access log should report
> 403 instead of 200

Why should it not be allowed?

Hi Francis,

In the curl request I am adding http header -H 'x-forwarded-for: 12.12.12.13.11' 

curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H 'x-forwarded-for: 12.12.12.13.11' 

IP :- 12.12.12.13.11 should be denied with 403

Please let me know if i am missing anything.

Best Regards,

Kaushal

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Francis Daly
On Wed, Feb 07, 2018 at 09:57:04PM +0530, Kaushal Shriyan wrote:
> On Wed, Feb 7, 2018 at 5:32 AM, Francis Daly <[hidden email]> wrote:
> > On Mon, Feb 05, 2018 at 11:56:04PM +0530, Kaushal Shriyan wrote:

Hi there,

> In the curl request I am adding http header -H 'x-forwarded-for:
> 12.12.12.13.11'
>
> curl -X GET http://13.127.165.226/ -H 'cache-control: no-cache' -H
> > 'postman-token: 2494a4a7-6791-2426-cedf-d0bcaa1cd90a' -H
> > 'x-forwarded-for: 12.12.12.13.11'
>
>
> IP :- 12.12.12.13.11 should be denied with 403
>
> Please let me know if i am missing anything.

No part of your config that I can see says to use the contents of the
x-forwarded-for header to determine whether the request should be allowed
or denied.

Is that in a part of the configuration that you did not show?

(Also: 12.12.12.13.11 is not an IP address.)

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Ph. Gras
In reply to this post by Francis Daly
Hi Francis,

>> location ~* wp-login\.php$ {
>
>> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>
>> Me too :-(
>
> Have you any reason to believe that this location is used to handle this request?

Yes, and this especially since before, it worked as expected :-(

>
> $ nginx -T | grep 'server\|location'
>
> will possibly give a useful hint in that direction.

# nginx -T | grep "www.example.com/wp-login.php"
nginx: invalid option: "T"

Is something missing ?

# apt-show-versions | grep nginx
nginx:all/jessie 1.6.2-5+deb8u5 uptodate
nginx-common:all/jessie 1.6.2-5+deb8u5 uptodate
nginx-full:amd64/jessie 1.6.2-5+deb8u5 uptodate
python-certbot-nginx:all/jessie-backports 0.10.2-1~bpo8+1 uptodate

Thank your for your help,

Ph. Gras
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Jason Whittington
In reply to this post by Kaushal Shriyan
I find that add_header always works well to verify that the location is being chosen the way you think.

Try something like

   add_header X-NGINX-Route <foobar> always;

to some of your location blocks and specify different distinct values for <foobar>.

Then in your browser you can use F12 tools to verify that you are getting back the header you expected.

Jason


-----Original Message-----
From: nginx [mailto:[hidden email]] On Behalf Of Ph. Gras
Sent: Wednesday, February 07, 2018 12:29 PM
To: [hidden email]
Subject: [IE] Re: Allow and Deny IP's

Hi Francis,

>> location ~* wp-login\.php$ {
>
>> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>
>> Me too :-(
>
> Have you any reason to believe that this location is used to handle this request?

Yes, and this especially since before, it worked as expected :-(

>
> $ nginx -T | grep 'server\|location'
>
> will possibly give a useful hint in that direction.

# nginx -T | grep "www.example.com/wp-login.php"
nginx: invalid option: "T"

Is something missing ?

# apt-show-versions | grep nginx
nginx:all/jessie 1.6.2-5+deb8u5 uptodate nginx-common:all/jessie 1.6.2-5+deb8u5 uptodate nginx-full:amd64/jessie 1.6.2-5+deb8u5 uptodate python-certbot-nginx:all/jessie-backports 0.10.2-1~bpo8+1 uptodate

Thank your for your help,

Ph. Gras
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail [hidden email]. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Ph. Gras
Hmmm!

>>> location ~* wp-login\.php$ {
>>
>>> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
>>
>>> Me too :-(
>>
>> Have you any reason to believe that this location is used to handle this request?
>
> Yes, and this especially since before, it worked as expected :-(

You're right. It's working better with a / before path :-)

location =/wp-login.php {
# etc;
}

Thanks for all,

Ph. Gras
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Allow and Deny IP's

Francis Daly
In reply to this post by Ph. Gras
On Wed, Feb 07, 2018 at 07:28:37PM +0100, Ph. Gras wrote:

Hi there,

> >> location ~* wp-login\.php$ {
> >
> >> 185.124.153.168 - - [05/Feb/2018:21:36:12 +0100] "GET /wp-login.php HTTP/1.1" 200 1300 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0"
> >
> >> Me too :-(
> >
> > Have you any reason to believe that this location is used to handle this request?
>
> Yes, and this especially since before, it worked as expected :-(

I see in other mail that that has become fixed -- probably this location
was not being used for this request, owing to an earlier "location ~
php", or something else that was changed since it had been working before.

> > $ nginx -T | grep 'server\|location'
> >
> > will possibly give a useful hint in that direction.
>
> # nginx -T | grep "www.example.com/wp-login.php"
> nginx: invalid option: "T"

I actually meant literally "grep 'server\|location'", to show the
server{} blocks (and server_name directives) and the location directives
in your config, which might be enough to show which location{} is used
for one request.

But your nginx version is from before "-T" was added, so you would have
to look in the config file (and any include:d files) directly, and there
isn't a simple one-liner to do that.

And now that it works for you, it is not important any more :-)

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx