I have an nginx reverse proxy, behind which is an Elixir application.
The challenge I have is that the only IP reaching the Elixir application is the local IP of the server on which the nginx reverse proxy resides.
Is there a way I can retrieve the remove IP address of the client application.
I need it to be able to secure my platform and only allow IPs whitelisted in my database.
Making authz/authn decisions based only on client IP is extremely fraught with peril, so please be sure to continue to follow good practices and use a strong credential model as well. Treat client IP as something that can only deny access on a mismatch, rather than something that can allow access on a successful match.
I’ve seen another similar practice where organizations consider your ability to connect to the application, by being on VPN or otherwise being allowed through network-level whitelists, to be sufficient security, and in most cases this is both lazy and unsafe.
