Forum: NGINX nginx problem with allow when forwarding through 2 proxy's

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Tomasz P. (Guest)
on 2008-12-18 14:08
(Received via mailing list)
Schema:

nginx1 -> nginx2 -> apache

On nginx2 i've got stub status module, and I want to allow only one ip
to view the data.
But when I add the directive, it won't work, because nginx2 sees that
connection came from nginx1 which is on the same machine as nginx2 so
client ip would be 127.0.0.1.

Is that a bug or it should be that way?
Maxim D. (Guest)
on 2008-12-18 14:51
(Received via mailing list)
Hello!

On Thu, Dec 18, 2008 at 12:55:58PM +0100, Tomasz P. wrote:

> Is that a bug or it should be that way?
http://wiki.codemongers.com/NginxHttpRealIpModule

Maxim D.
Tomasz P. (Guest)
on 2008-12-19 12:51
(Received via mailing list)
i think we misunderstood each other, nginx2 conf:

location / {
  set $my_host maintenance.my_domain;
  if ($remote_addr ~ ip.address) { set $my_host $host; }
  proxy_pass http://127.0.0.1:8080/;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $my_host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

based on $remote_addr i show proper page or just maintenance page for
users when I need to, but now when I have another nginx (nginx1) in
front of nginx2 this won't work, because nginx2 sees $remote_addr as the
address of nginx1

same goes for allow directive, wont work on nginx2
Igor S. (Guest)
on 2008-12-19 16:15
(Received via mailing list)
On Fri, Dec 19, 2008 at 11:40:15AM +0100, Tomasz P. wrote:

>
> based on $remote_addr i show proper page or just maintenance page for
> users when I need to, but now when I have another nginx (nginx1) in
> front of nginx2 this won't work, because nginx2 sees $remote_addr as the
> address of nginx1

Maxim has showed the right link. You need to change $remote_addr on
nginx2
to X-Real-Ip value. Howeverm in you case you may simply use
$http_x_real_ip:

    location / {
         set $my_host maintenance.my_domain;
         if ($http_x_real_ip ~ ip.address) { set $my_host $host; }
         proxy_pass http://127.0.0.1:8080;
         proxy_set_header Host $my_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }

Also you do not need to set

     proxy_set_header X-Real-IP $remote_addr;

on nginx2 as nginx1 has already set X-Real-IP to client's address.
This topic is locked and can not be replied to.