Skip to main content

How to forward the real client IP to a webserver NGINX behind a GCP Load Balancer

Purpose: We want to protect the origin server from being hit directly over the internet so we make sure only CDN/WAF connect to the backend also known as Origin Protection.

Scenario: 

https://www.indusface.com/blog/fundamentals-of-origin-server-protection/



CDN+WAF---->GCP Load Balancer --->VM Nginx


Solution:

Modify Nginx Configuration

...

location / { 
    allow 100.100.100.0/24; //Change with your CDN/WAF source IP that connects to the backend.
    deny all;
}

...

set_real_ip_from 1.1.1.1/32; // Change with your LB Public IP address
set_real_ip_from 130.211.0.0/22; // Private IP range for GCP Load Balancers
set_real_ip_from 35.191.0.0/16; //Private IP range for GCP Load Balancers
real_ip_header X-Forwarded-For; 
real_ip_recursive on;

...

Save and restart the services.

Check the Log

tail -f /var/log/nginx/access.log

tail -f /var/log/nginx/error.log


If there is client over the internet hit directly IP the load balancer, it will be blocked by Nginx (403 Forbidden)
you should see that the client source IP that is not whitelisted in the Nginx config will be denied as well.



References: 


Labels:

Comments

Post a Comment

Popular posts from this blog

Soal dan pembahasan LKSN ITNSA

Berikut adalah koleksi soal-soal ITNSA dan beberapa website yang memberikan pembahasan pada event perlombaaan LKS SMK Nasional bidang lomba IT Network Systems Administration. 2014 Palembang Di tahun ini ada 1 soal packet tracer. Di website dibawah ini diberikan juga cara pembahasannya. https://agussas.wordpress.com/2015/04/02/review-soal-lks-nasional-it-network-23-packet-tracer-challenge/ Semua soal:  https://www.dropbox.com/sh/l90zyke2ib5msgv/AAA3kPOFo-zEn4wPOW4a3iMwa?dl=0 dan https://drive.google.com/file/d/18lDhtMjAnPAhkfOJ6uFHsC5j6ycg3K4I/view Pembahasan juga dalam bentuk video di youtube:  https://www.youtube.com/watch?v=8QML594nQBU 2015 Banten Pembahasan:   https://www.youtube.com/watch?v=quDbpC2xSfQ Soal:  https://drive.google.com/file/d/1B09IYfdoGENBL3txSQodpptG1zdQxBWI/view 2016 Malang Soal:   https://drive.google.com/file/d/13-2bRtb5IXO9vxAhLfhghZbDXeUzD0FI/view Pembahasan:   https://www.youtube.com/watch?v=zmUSUZguH24 20...
2 comments
Read more

Dasar instalasi dan konfigurasi OpenLDAP

 ### Panduan Instalasi OpenLDAP Berikut adalah panduan sederhana untuk menginstal dan mengkonfigurasi OpenLDAP pada server dengan domain `bagussa.my.id` dan IP `10.10.10.1`.  #### 1. Instalasi OpenLDAP Pertama, instal OpenLDAP beserta paket-paket yang diperlukan: ```bash sudo apt update sudo apt install slapd ldap-utils ``` Selama instalasi, Anda mungkin akan diminta untuk memasukkan kata sandi untuk `admin` LDAP. Simpan kata sandi ini dengan aman. #### 2. Konfigurasi Manual di `/etc/hosts` Tambahkan entri untuk domain dan IP di file `/etc/hosts`: ```bash sudo nano /etc/hosts ``` Tambahkan baris berikut: ``` 10.10.10.1    bagussa.my.id ``` Simpan dan keluar dari editor. #### 3. Konfigurasi `/etc/ldap/ldap.conf` Edit file konfigurasi LDAP: ```bash sudo nano /etc/ldap/ldap.conf ``` Tambahkan atau modifikasi baris berikut: ``` BASE    dc=bagussa,dc=my,dc=id URI     ldap://10.10.10.1 ``` Simpan dan keluar dari editor. #### 4. Buat OU dan Group de...
Post a Comment
Read more

TABLE OF CONTENTS

BASIC CONFIGURATION https://sa-bagus.blogspot.com/2023/01/soal-dan-pembahasan-lks-itnsa-network.html DYNAMIC CONFIGURATION PROTOCOL https://sa-bagus.blogspot.com/2020/05/pembahasan-lks-asc-wsc-modul-cisco-dhcp.html VIRTUAL PRIVATE NETWORK https://sa-bagus.blogspot.com/2020/06/referensi-bagus-untuk-konfigurasi.html PUBLIC KEY INFRASTRUCTURE / CERTIFICATE https://sa-bagus.blogspot.com/2023/01/pembahasan-lks-itnsa-ceritificate.html DIRECTORY SERVICES https://sa-bagus.blogspot.com/2018/01/menginstal-dan-mengkonfigurasi.html https://sa-bagus.blogspot.com/2022/11/lks-wsc-itnsa-how-to-create-user.html WEB SERVER https://sa-bagus.blogspot.com/2023/09/cara-redirect-http-ke-https-di-apache2.html
Post a Comment
Read more