Menu
I have a webapp under NGinx and another frontal load balancer, something like below (x.x.x.x = IP address):
Client(a.a.a.a) -> LB (b.b.b.b) -> NGX (c.c.c.c) -> WEBAPP (d.d.d.d)
Here is a snippet of my NGinx configuration:
location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; real_ip_header X-Forwarded-For; set_real_ip_from b.b.b.b; real_ip_recursive on; } X-Forwarded-For field with client IPX-Forwarded-For = a.a.a.a X-Forwarded-For header by omiting LB IP (b.b.b.b) and change $remote_addr from b.b.b.b to a.a.a.a so proxy_set_header X-Real-IP $remote_addr become true (OK that's what I want !)X-Forwarded-For header with a.a.a.a IP instead of b.b.b.b X-Forwarded-For = a.a.a.a, a.a.a.aX-Real-IP = a.a.a.aX-Forwarded-For should be a.a.a.a, b.b.b.b What I need is the ability to set first proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for and then search for real IP and replace $remote_addr value.
Any one can help me to solve this problem ?
589
real_ip_header. real_ip_recursive. Embedded Variables. The ngx_http_realip_module module is used to change the client address and optional port to those sent in the specified header field. This module is not built by default, it should be enabled with the --with-http_realip_module configuration parameter.
MetaDefender ICAP Server integrates with NGINX via the upstream module (reverse proxy) and related configuration directives.
To check the status of Nginx, run systemctl status nginx . This command generates some useful information. As this screenshot shows, Nginx is in active (running) status, and the process ID of the Nginx instance is 8539.
The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). With the PROXY protocol, NGINX can learn the originating IP address from HTTP, SSL, HTTP/2, SPDY, WebSocket, and TCP.
The $proxy_add_x_forwarded_for is equal to $http_x_forwarded_for,$remote_addr, and the $remote_addr variable will be changed when http_realip_module is used. So you will not get the last proxy addr in that header. Changing the order of directives won't have an effect because nginx configuration is declarative.
When http_realip_module is used, the $realip_remote_addr variable (nginx >= 1.9.7) can be used as the original $remote_addr. So you can set your X-Forwarded-For header like this:
proxy_set_header X-Forwarded-For "$http_x_forwarded_for, $realip_remote_addr"; Same problem here. It's annoying, and I'm not actually sure if this is feature or bug:)
I know it's not a solution, but I've removed real_ip_header, and simply use X-Forwarded-For first ipaddress to get client's ip address wherever I need it (eg. logs).
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
