Chapter 5
[ 95 ]
If the application still needs some information present in the certificate, for example,
to authorize a user, NGINX can deliver this information in a header:
location / {
proxy_set_header X-HTTP-AUTH $ssl_client_s_dn;
proxy_pass http://secured;
}
Now, our application running on the upstream server secured can use the value
of the X-HTTP-AUTH header to authorize the client for access to different areas.
The variable $ssl_client_s_dn contains the subject DN of the client certificate.
The application can use this information to match the user against a database
or make a look up in a directory.
Blocking traffic based on originating IP address
As client connections terminate on the reverse proxy, it is possible to limit clients based
on IP address. This is useful in cases of abuse where a number of invalid connections
originate from a certain set of IP addresses. As in Perl, there is more than one way to
do it. We will discuss the GeoIP module here as a possible solution.
Your nginx binary will need to have been compiled with the GeoIP module activated
(--with-http_geoip_module) and the MaxMind GeoIP library installed on your
system. Specify the location of the precompiled database file with the geoip_country
directive in the http context. This provides the most efficient way to block/allow IP
addresses by country code:
geoip_country /usr/local/etc/geo/GeoIP.dat;
If a client's connection comes from an IP address listed in this database, the value
of the $geoip_country_code variable will be set to the ISO two-letter code for the
originating country.
We will use the data provided by the GeoIP module together with the closely-
named geo module, as well. The geo module provides a very basic interface for
setting variables based on the IP address of a client connection. It sets up a named
context within which the first parameter is the IP address to match and the second
is the value that match should obtain. By combining these two modules, we can
block IP addresses based on the country of origin, while allowing access from a
set of specific IP addresses.