I have configured Nginx to require HTTP Basic auth for a website I'm working on that isn't yet public. I included an allow clause to permit the IP address of the company's head office to view the site without entering a password. This worked initially, however after placing the Nginx server behind a load balancer (AWS ELB), the IP address Nginx sees is actually the IP address of the load balancer, NOT of the requesting web client - so it stopped working.
I have the real IP address of the client in the X-Forwarded-For header. Is there a way to get Nginx to recognise the client and let it in without logging in?
You should use the NGINX real-IP module for that.
I have described the use of this module here Stackoverflow #66692200
Basically you need to do
real_ip_header X-Forwarded-For;
real_ip_recursive off;
You should check if you are able to set the ELB-IP as the only one that will be allowed to send the X-Forwarded-For header. Find out more information here