IP Banning behind a Reverse Proxy



  • So I found a small but rather frustrating bug (don't judge by title) in NodeBB.

    If you add an IP Ban - no user is able to register, including IP Addressses that are not supposed to be IP Banned, an error occurs well the full html of an error displays saying NodeBB is unable to match the IPs the error message is just an html blob, it doesn't display properly. Initially I thought this could be a cloudflare caused issue so I disabled things like minify, rocketloader, etc and cleared caches on cloudflare and my local system, however the problem persisted, the full html in error message likely wasn't a cloudflare caused issue otherwise other registration errors would also display as full html [Purposely failing the captcha https://i.imgur.com/5XooFnB.png the error displays fine]). However with Cloudflare enabled, NodeBB is unable to match IPs and therefore the IP Bans feature cannot be used. My workaround is to issue IP Bans at Cloudflare Level however it'd be nice if I could use the NodeBB Built in one. Thoughts?


    Nginx Configuration:

    
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    
    events {
    	worker_connections 2048;
    	multi_accept on;
    	use epoll;
    }
    
    http {
    
    	##
    	# Basic Settings
    	##
    
    	sendfile on;
    	tcp_nopush on;
    	tcp_nodelay on;
    	keepalive_timeout 120;
    	types_hash_max_size 2048;
    	server_tokens off;
    
    	##
    	# Security Options
    	##
    	client_max_body_size 100m;
    
    	# server_names_hash_bucket_size 64;
    	# server_name_in_redirect off;
    
    	include /etc/nginx/mime.types;
    	default_type application/octet-stream;
    
    	##
    	# SSL Settings
    	##
    
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    	ssl_prefer_server_ciphers on;
    
    	##
    	# Logging Settings
    	##
    
    	access_log /var/log/nginx/access.log;
    	error_log /var/log/nginx/error.log;
    
    	##
    	# Gzip Settings
    	##
    
    	gzip on;
    	gzip_disable "msie6";
    
    	gzip_vary on;
    	gzip_proxied any;
    	gzip_comp_level 6;
    	gzip_buffers 16 8k;
    	gzip_http_version 1.1;
    	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    
    	##
    	# Virtual Host Configs
    	##
    	include /etc/nginx/sites-enabled/*;
    	include /etc/nginx/ipbans.conf;
    
    ##
    # Cloudflare Set Real IP
    ##
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;
    real_ip_header CF-Connecting-IP;
    }
    
    server {
    	listen 80;
    	listen 443 ssl;
    	root /var/www/html/;
    	index index.html;
    	server_name sinfulforums.net www.sinfulforums.net;
    
    
    	# Main Location Block
    	location / {
    		proxy_http_version 1.1;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header X-Forwarded-Proto $scheme;
    	        proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header Upgrade $http_upgrade;
    		proxy_set_header Connection 'upgrade';
    		proxy_set_header Host $host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_redirect off;
    		proxy_pass http://127.0.0.1:4567;
    
    			types {
    				application/javascript jst js;
    				text/css css;
    			}
    	}
    
    
    	# SSL Configuration
    	ssl_certificate /etc/nginx/ssl/cert.pem;
    	ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    	ssl_session_cache shared:SSL:10m;
    	ssl_session_timeout 10m;
    	ssl_protocols TLSv1.2;
    	ssl_prefer_server_ciphers on;
    	ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    	ssl_client_certificate /etc/nginx/ssl/originpull.pem;
            ssl_verify_client on;
    	ssl_dhparam ssl/dhparam.pem;
    	ssl_ecdh_curve secp384r1;
    }
    
    

 

| |