geoip2_proxy_recursive
The 'geoip2_proxy_recursive' directive enables recursive lookups of GeoIP2 data when used behind a proxy.
Description
The 'geoip2_proxy_recursive' directive in the NGINX GeoIP2 module configures whether NGINX should perform recursive lookups for GeoIP data when the request is proxied. This functionality is essential in environments where the client IP address is forwarded through multiple proxy layers, as it allows the retrieval of accurate geolocation data corresponding to the original client IP rather than that of the last proxy. When enabled, NGINX evaluates the X-Forwarded-For HTTP header, effectively tracing back to the initial client's IP address.
This directive is set as a flag in the NGINX configuration and can accept two states: on (enabled) or off (disabled). If set to on, NGINX will recursively resolve the IP address through the list of forwarded IPs found in the X-Forwarded-For header, ensuring that the geographic lookup is based on the correct IP address.
In order to properly use this directive, the server must be configured to trust the headers from the specific proxies that are embedded in the request path. Incorrect configuration of proxies can lead to false readings or misuse of the directive, as untrusted proxies might send incorrect or manipulated headers. Developers should ensure they are aware of which proxies are trusted in their architecture to safeguard accurate geolocation data retrieval.
Config Example
http {
geoip2 /etc/maxmind-country.mmdb {
auto_reload 5m;
$geoip2_data_country_code default=US source=$remote_addr country iso_code;
}
geoip2_proxy_recursive on;
}Ensure that the X-Forwarded-For header is set correctly by all upstream proxies, or the directive will not function accurately.
When enabling this directive, you may need to implement additional security measures to prevent header manipulation from untrusted proxies.