block fake real ip

FuhuXia · FuhuXia · commit 9f84336ba0f1 · 2025-07-10T11:42:05.000-04:00
diff --git a/proxy/nginx-malicious.conf b/proxy/nginx-malicious.conf
@@ -8,6 +8,10 @@ if ($http_x_amzn_waf_detection = "datacenter") {
   return 429;
 }
 
+if ($invalid_real_ip = 1) {
+    return 429;
+}
+
 error_page 429 @malicious;
 
 location @malicious {
diff --git a/proxy/nginx.conf b/proxy/nginx.conf
@@ -26,6 +26,31 @@ http {
     {{env "EXTERNAL_ROUTE_ADMIN"}} {{env "INTERNAL_ROUTE_ADMIN"}};
   }
 
+  # Extract first IP from X-Forwarded-For header
+  map $http_x_forwarded_for $first_forwarded_ip {
+      ~^([^,\s]+) $1;
+      default "";
+  }
+  # Check if first IP is invalid real ip
+  map $first_forwarded_ip $invalid_real_ip {
+      # RFC 1918 Private IP ranges
+      ~^10\.                          1;  # 10.0.0.0/8
+      ~^172\.(1[6-9]|2[0-9]|3[01])\.  1;  # 172.16.0.0/12
+      ~^192\.168\.                    1;  # 192.168.0.0/16
+
+      # RFC 3927 Link-local addresses
+      ~^169\.254\.                    1;  # 169.254.0.0/16
+
+      # RFC 5735 Loopback
+      ~^127\.                         1;  # 127.0.0.0/8
+
+      # RFC 1122 Current network (only valid as source)
+      ~^0\.0\.0\.0$                   1;  # 0.0.0.0/32
+
+      # Default case - public IP
+      default                         0;
+  }
+
   server {
     listen {{port}};
     root public;

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,10 @@ if ($http_x_amzn_waf_detection = "datacenter") {`
`8`	`8`	`return 429;`
`9`	`9`	`}`
`10`	`10`
	`11`	`+if ($invalid_real_ip = 1) {`
	`12`	`+ return 429;`
	`13`	`+}`
	`14`	`+`
`11`	`15`	`error_page 429 @malicious;`
`12`	`16`
`13`	`17`	`location @malicious {`