IP Banning behind a Reverse Proxy

Bug Reports
  • So I found a small but rather frustrating bug (don't judge by title) in NodeBB.

    If you add an IP Ban - no user is able to register, including IP Addressses that are not supposed to be IP Banned, an error occurs well the full html of an error displays saying NodeBB is unable to match the IPs the error message is just an html blob, it doesn't display properly. Initially I thought this could be a cloudflare caused issue so I disabled things like minify, rocketloader, etc and cleared caches on cloudflare and my local system, however the problem persisted, the full html in error message likely wasn't a cloudflare caused issue otherwise other registration errors would also display as full html [Purposely failing the captcha https://i.imgur.com/5XooFnB.png the error displays fine]). However with Cloudflare enabled, NodeBB is unable to match IPs and therefore the IP Bans feature cannot be used. My workaround is to issue IP Bans at Cloudflare Level however it'd be nice if I could use the NodeBB Built in one. Thoughts?


    Nginx Configuration:

    
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    
    events {
    	worker_connections 2048;
    	multi_accept on;
    	use epoll;
    }
    
    http {
    
    	##
    	# Basic Settings
    	##
    
    	sendfile on;
    	tcp_nopush on;
    	tcp_nodelay on;
    	keepalive_timeout 120;
    	types_hash_max_size 2048;
    	server_tokens off;
    
    	##
    	# Security Options
    	##
    	client_max_body_size 100m;
    
    	# server_names_hash_bucket_size 64;
    	# server_name_in_redirect off;
    
    	include /etc/nginx/mime.types;
    	default_type application/octet-stream;
    
    	##
    	# SSL Settings
    	##
    
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    	ssl_prefer_server_ciphers on;
    
    	##
    	# Logging Settings
    	##
    
    	access_log /var/log/nginx/access.log;
    	error_log /var/log/nginx/error.log;
    
    	##
    	# Gzip Settings
    	##
    
    	gzip on;
    	gzip_disable "msie6";
    
    	gzip_vary on;
    	gzip_proxied any;
    	gzip_comp_level 6;
    	gzip_buffers 16 8k;
    	gzip_http_version 1.1;
    	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    
    	##
    	# Virtual Host Configs
    	##
    	include /etc/nginx/sites-enabled/*;
    	include /etc/nginx/ipbans.conf;
    
    ##
    # Cloudflare Set Real IP
    ##
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;
    real_ip_header CF-Connecting-IP;
    }
    
    server {
    	listen 80;
    	listen 443 ssl;
    	root /var/www/html/;
    	index index.html;
    	server_name sinfulforums.net www.sinfulforums.net;
    
    
    	# Main Location Block
    	location / {
    		proxy_http_version 1.1;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header X-Forwarded-Proto $scheme;
    	        proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header Upgrade $http_upgrade;
    		proxy_set_header Connection 'upgrade';
    		proxy_set_header Host $host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_redirect off;
    		proxy_pass http://127.0.0.1:4567;
    
    			types {
    				application/javascript jst js;
    				text/css css;
    			}
    	}
    
    
    	# SSL Configuration
    	ssl_certificate /etc/nginx/ssl/cert.pem;
    	ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    	ssl_session_cache shared:SSL:10m;
    	ssl_session_timeout 10m;
    	ssl_protocols TLSv1.2;
    	ssl_prefer_server_ciphers on;
    	ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    	ssl_client_certificate /etc/nginx/ssl/originpull.pem;
            ssl_verify_client on;
    	ssl_dhparam ssl/dhparam.pem;
    	ssl_ecdh_curve secp384r1;
    }
    
    

Suggested Topics


  • IP ban is not working anymore

    Bug Reports
    0 Votes
    7 Posts
    1k Views

    You just create an account at github.com then you can post issues directly at our github issues page.

  • 0 Votes
    1 Posts
    1k Views

    If you are using a reverse proxy with nginx and attempt to upload an image over certain images the nginx server refuses the file with its own message rather than the expected nodebb response.
    Screenshot from this forum:
    upload-7d396c29-2da4-472a-b51c-f17bb5301066
    Image used to create this error:
    http://i.imgur.com/86A0WMj.jpg

    To resolve:
    In 'nginx's server' context of enabled site config
    client_max_body_size 20M;

    Hope that helps this forum and others using reverse proxy

    If you're in the mood for helping me, then I've raised this bug report for a separate issue:
    https://community.nodebb.org/topic/5404/image-upload-on-android

    Thanks,
    Drew

  • 0 Votes
    3 Posts
    1k Views

    Ok, thanks.
    Found that one...
    I hope there will be a solution in the future.

    Don't like hacks and workarounds, but should work with widely-used smartphones.
    Maybe could be done as plugin? So core stay clean without hacks and workarounds...

  • 0 Votes
    7 Posts
    3k Views

    This has been resolved, nginx wouldn't reload after a symlink was created. Running the command with logging switched on led to

    could not build the server_names_hash, you should increase server_names_hash_bucket_size: 32

    going into nginx.conf and uncommenting

    server_names_hash_bucket_size 64;

    means it now works. 👍

  • Header IP

    Bug Reports
    0 Votes
    10 Posts
    3k Views

    Make your life easier, created issue #1744 on github for the FAQ update.