I have a website set up with nginx acting as a reverse proxy to apache 2.2, which is running php. From apache and php's perspective the IP address of all requests is the nginx server. I'd like php to see the same remote IP that nginx sees.
Nginx sets a header X-Real-IP which contains the remote IP that nginx sees. I tried doing something like this in the apache conf:
SetEnvIf ^X-Real-IP$ "(.+)" REMOTE_ADDR=$1
My hope was that I could set the REMOTE_ADDR environment variable and when php finally gets invoked, it would see the remote IP that nginx sees. I think the php code is doing this:
$_SERVER['REMOTE_ADDR']
Anyway, this isn't working. Can you not set REMOTE_ADDR in the apache config file?
Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.
$_SERVER['REMOTE_ADDR'] Returns the IP address from where the user is viewing the current page. $_SERVER['REMOTE_HOST'] Returns the Host name from where the user is viewing the current page. $_SERVER['REMOTE_PORT']
On Windows IIS 7 you must use $_SERVER ['LOCAL_ADDR'] rather than $_SERVER ['SERVER_ADDR'] to get the server's IP address. Guide to URL paths... Purpose: The URL path name of the current PHP file, including path-info (see $_SERVER ['PATH_INFO']) and excluding URL query string. Includes leading slash.
Using remote files As long as allow_url_fopen is enabled in php.ini, you can use HTTP and FTP URLs with most of the functions that take a filename as a parameter. In addition, URLs can be used with the include, include_once, require and require_once statements (allow_url_include must be enabled for these).
(PHP 4 >= 4.1.0, PHP 5, PHP 7, PHP 8) $_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here.
All elements of the $_SERVER array whose keys begin with 'HTTP_' come from HTTP request headers and are not to be trusted. 2. All HTTP headers sent to the script are made available through the $_SERVER array, with names prefixed by 'HTTP_'. 3. $_SERVER ['PHP_SELF'] is dangerous if misused.
Not sure whether REMOTE_ADDR
can be changed that way...
Actually, you might need to install / enable another Apache module, like mod_rpaf
(quoting) :
It changes the remote address of the client visible to other Apache modules when two conditions are satisfied.
First condition is that the remote client is actually a proxy that is defined in httpd.conf.
Secondly if there is an incoming X-Forwarded-For header and the proxy is in it's list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure.
It also takes the incoming X-Host header and updates the virtualhost settings accordingly.
For Apache2 mod_proxy it takes the X-Forwared-Host header and updates the virtualhosts
Here's a blog-post about that : Nginx proxy to Apache - access remote host IP address using mod_praf
Update: original link not working right now, but it is available also as a debian package: apt-get install libapache2-mod-rpaf
I have solved this using mod_remoteip for Apache. mod_remoteip is for Apache 2.5 but thanks to this guy you can use it on Apache 2.2.x as well.
Download mod_remoteip.c from https://gist.github.com/1042237 and compile it with
apxs -i -a -c mod_remoteip.c
This should create mod_remoteip.so copy in the modules directory. apxs will also add LoadModule directive in your httpd.conf for newly created module.
Open httpd.conf and check does LoadModule directive for mod_remoteip exists
LoadModule remoteip_module modules/mod_remoteip.so
Add RemoteIPHeader directive in httpd.conf
RemoteIPHeader X-Forwarded-For
This directive will instruct mod_remoteip to use X-Forwarded-For value from nginx as remote_addr. You can also use X-Real-IP instead:
RemoteIPHeader X-Real-IP
Restart the Apache. If you have set the proxy headers in nginx it will work like a charm and remote_addr in Apache will be correct
# nginx conf
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Apache (requires mod_headers module):
SetEnvIf X-Real-IP "^(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+).*" XFF_CLIENT_IP=$1
RequestHeader set REMOTE_ADDR %{XFF_CLIENT_IP}e
REF for SetEnvIf RegEx: https://stackoverflow.com/a/10346093
Works also but doesn't verify input as IP:
SetEnvIf X-Real-IP "^(.*)" XFF_CLIENT_IP=$1
RequestHeader set REMOTE_ADDR %{XFF_CLIENT_IP}e
In PHP:
$_SERVER["HTTP_REMOTE_ADDR"]
-or-
$_SERVER["REMOTE_ADDR"]
No non-core Apache modules required
You may try this simple PHP module
https://github.com/yohgaki/realip
It simply rewrites $_SERVER['REMOTE_ADDR'] with X-Forwarded-For or X-Real-IP whatever header you like. You can accomplish this with many different method, but I just would like to do it as PHP module. So I wrote it.
I don't know whether REMOTE_ADDR can be manipulated - it could be that it can't - but you should be able to get hold of the X-Real-IP header within PHP through something like
$_SERVER["HTTP_X_Real_IP"]
or similar - check phpinfo()
for the correct notation.
Also, Apache environment variables set in .htaccess
should be visible in PHP.
mod_rpaf (sudo apt-get install libapache2-mod-rpaf)
resolved all issues and REMOTE_ADDRR now looks Ok!..
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With