hi all
my first post on mikrotik forum.
i have a mikrotik virtual fw sitting behind a reverse proxy nginx. problem now mirotik only sees the REMOTE_ADDR IP which is the ip of the nginx reverse proxy server. i need to be able to whitelist certain ips on the mikrotik. right now i can only enable and disable all since all coming from the nginx IP.
is there a way to parse the headers to get the HTTP_X_FORWARDED_FOR
like this i can allow and deny based on the HTTP_X_FORWARDED_FOR IP and not the whole nginx IP.
help needed and much appreciated and hope i can be an active member on your forum
kind regards
Hmmm - giving a little thought to L7 protocol matchers, but even that is not going to work well - because the L7 feature is just going to match against regex and not against IP address list.
Perhaps the nginx system has hooks for IP blacklisting - that would be a much better place to implement this anyway.
You could probably configure the http daemons on the servers themselves to watch this header for access/blacklist behavior.
If you want to implement this in Mikrotik firewall rules, then the best option would be to place the Mikrotik “in front of” the reverse proxy and do your blacklisting there at the front door. (probably better anyway, because if you block in the middle, it’s going to leave the reverse proxy bogged down with requests that get blocked internally)
You need to configure your access restrictions on the nginx itself. As far as I’m aware there’s not way to restrict management access to RouterOS (WebFig) based on custom HTTP headers.
Andriys brought up a point I hadn’t considered, that it’s the Mikrotik itself you’re trying to access… I’d suggest just using an alternate port (888, 8080, etc) if it’s for management purposes, and bypass the load balancer’s influence that way. Then you can govern access to port xxxx using IP address-list + the INPUT chain of the firewall filters.