I have a webapp under NGinx and another frontal load balancer, something like below (x.x.x.x = IP address): <blockquote> Client(a.a.a.a) -> LB (b.b.b.b) -> NGX (c.c.c.c) -> WEBAPP (d.d.d.d) </blockquote> Here is a snippet of my NGinx configuration: <pre class="prettyprint"><code>location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; real_ip_header X-Forwarded-For; set_real_ip_from b.b.b.b; real_ip_recursive on; } </code></pre> <ol> <li>The load balancer add <code>X-Forwarded-For</code> field with client IP <code>X-Forwarded-For</code> = <code>a.a.a.a</code> </li> <li>NGinx search for client real IP in <code>X-Forwarded-For</code> header by omiting LB IP (<code>b.b.b.b</code>) and change <code>$remote_addr</code> from <code>b.b.b.b</code> to <code>a.a.a.a</code> so <code>proxy_set_header X-Real-IP $remote_addr</code> become true (OK that's what I want !) BUT, NGinx also complete <code>X-Forwarded-For</code> header with <code>a.a.a.a</code> IP instead of <code>b.b.b.b</code> </li> <li>WEBAPP receive the following headers: <code>X-Forwarded-For</code> = <code>a.a.a.a, a.a.a.a</code> <code>X-Real-IP</code> = <code>a.a.a.a</code> -> <code>X-Forwarded-For</code> should be <code>a.a.a.a, b.b.b.b</code> </li> </ol> What I need is the ability to set first <code>proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for</code> and then search for real IP and replace <code>$remote_addr</code> value. Any one can help me to solve this problem ?

The <code>$proxy_add_x_forwarded_for</code> is equal to <code>$http_x_forwarded_for,$remote_addr</code>, and the <code>$remote_addr</code> variable will be changed when <code>http_realip_module</code> is used. So you will not get the last proxy addr in that header. Changing the order of directives won't have an effect because <code>nginx</code> configuration is declarative. When http_realip_module is used, the <code>$realip_remote_addr</code> variable (<code>nginx >= 1.9.7</code>) can be used as the original <code>$remote_addr</code>. So you can set your <code>X-Forwarded-For</code> header like this: <pre class="prettyprint"><code>proxy_set_header X-Forwarded-For "$http_x_forwarded_for, $realip_remote_addr"; </code></pre>

Same problem here. It's annoying, and I'm not actually sure if this is feature or bug:) I know it's not a solution, but I've removed real_ip_header, and simply use X-Forwarded-For first ipaddress to get client's ip address wherever I need it (eg. logs).

NGinx $proxy_add_x_forwarded_for and real_ip

I have a webapp under NGinx and another frontal load balancer, something like below (x.x.x.x = IP address):

Client(a.a.a.a) -> LB (b.b.b.b) -> NGX (c.c.c.c) -> WEBAPP (d.d.d.d)

Here is a snippet of my NGinx configuration:

location / {     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;     proxy_set_header  X-Real-IP       $remote_addr;     real_ip_header    X-Forwarded-For;     set_real_ip_from  b.b.b.b;     real_ip_recursive on; }

The load balancer add X-Forwarded-For field with client IP
X-Forwarded-For = a.a.a.a
NGinx search for client real IP in X-Forwarded-For header by omiting LB IP (b.b.b.b) and change $remote_addr from b.b.b.b to a.a.a.a so proxy_set_header X-Real-IP $remote_addr become true (OK that's what I want !)
BUT, NGinx also complete X-Forwarded-For header with a.a.a.a IP instead of b.b.b.b
WEBAPP receive the following headers:
X-Forwarded-For = a.a.a.a, a.a.a.a
X-Real-IP = a.a.a.a
-> X-Forwarded-For should be a.a.a.a, b.b.b.b

What I need is the ability to set first proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for and then search for real IP and replace $remote_addr value.

Any one can help me to solve this problem ?

What is Real_ip_header?

real_ip_header. real_ip_recursive. Embedded Variables. The ngx_http_realip_module module is used to change the client address and optional port to those sent in the specified header field. This module is not built by default, it should be enabled with the --with-http_realip_module configuration parameter.

Does NGINX support ICAP?

MetaDefender ICAP Server integrates with NGINX via the upstream module (reverse proxy) and related configuration directives.

How do you check if NGINX reverse proxy is working?

To check the status of Nginx, run systemctl status nginx . This command generates some useful information. As this screenshot shows, Nginx is in active (running) status, and the process ID of the Nginx instance is 8539.

Does NGINX support proxy protocol?

The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through proxy servers and load balancers such as HAproxy and Amazon Elastic Load Balancer (ELB). With the PROXY protocol, NGINX can learn the originating IP address from HTTP, SSL, HTTP/2, SPDY, WebSocket, and TCP.

The $proxy_add_x_forwarded_for is equal to $http_x_forwarded_for,$remote_addr, and the $remote_addr variable will be changed when http_realip_module is used. So you will not get the last proxy addr in that header. Changing the order of directives won't have an effect because nginx configuration is declarative.

When http_realip_module is used, the $realip_remote_addr variable (nginx >= 1.9.7) can be used as the original $remote_addr. So you can set your X-Forwarded-For header like this:

proxy_set_header X-Forwarded-For "$http_x_forwarded_for, $realip_remote_addr";

Same problem here. It's annoying, and I'm not actually sure if this is feature or bug:)

I know it's not a solution, but I've removed real_ip_header, and simply use X-Forwarded-For first ipaddress to get client's ip address wherever I need it (eg. logs).

NGinx $proxy_add_x_forwarded_for and real_ip_header

Tags:

http-headers

nginx

pierrefevrier

People also ask

2 Answers

Y. King

faja

Recent Activity

Donate For Us