New day new task without Stackoverflow solution.
My goal was to block the /admin endpoint for users outside of the company IP scope.
After a long search in Google and StackOverflow, I got some ideas for doing it, but I couldn’t find a simple solution.
The main problem is that Cloud front overrides the client IP and moves it to the X_FORWARDED_FOR header field. And also, the ELB moved there another IP and so on.
Long story short, the solution is going recursively on the X_FORWARDED_FOR header field and finding the first, which is the actual client IP.
Add to your Nginx conf the following lines :
map $http_x_forwarded_for $real_ip {
~^(\d+\.\d+\.\d+\.\d+) $1;
default $remote_addr;
}
geo $real_ip $giveaccess {
default 0;
[Fisrt-IP] 1;
[Second-IP] 1;
..
}
..
server {
..
location /admin {
if ($giveaccess = 0){
#redirect the user to index or another place in the app
return 302 $scheme://example.tld
}
}
..
}