Ip based access behind nginx load balancer

I’m sure this has been asked before, but I could not find an answer.I’m
using nginx-0.7.66.I have 6 webservers running Apache, tomcat, IIS on
it. We are using ip base access for some directories and files on our
servers.But when we use nginx as a load balancer, these rules (ip based
access on apache,tomcat and IIS) are not working , because of our
servers are seeing Nginx’s ip address as client ip address.

Does anybody know how I can pass client’s ip addresses directly through
our servers on Nginx?

here is our sample nginx.conf
#########################

#user nobody;
worker_processes 16;

error_log logs/error.log;
pid logs/nginx.pid;

events {
worker_connections 1024;
}

upstream webserver_a {
ip_hash;
server 192.168.100.4:80;
server 192.168.100.5:80;
}

server {
listen *:80;
server_name our.domain.com;
access_log logs/webserver_a.access.log;

location / {

proxy_set_header  X-Real-IP  $remote_addr;
# needed for HTTPS
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_max_temp_file_size 0;

  proxy_pass http://webserser_a;
} # location

} # server
} # http

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,97154,97154#msg-97154

You are allready pasing them back to your backend servers with:

proxy_set_header X-Real-IP $remote_addr;

The thing you need now is that the backend webservers use this as the
real
clients IP.

For Apache you can use mod_rpaf http://stderr.net/apache/rpaf/ ( just
change the RPAFheader to X-Real-IP obviosly).
For nginx you use the RealIp module (
http://wiki.nginx.org/NginxHttpRealIpModule )

For IIS I am not sure (as I dont use it) but quick googling gave
something
like this http://www.winfrasoft.com/X-Forwarded-For.htm

rr


From: “ahlatci” [email protected]
Sent: Friday, June 11, 2010 6:05 PM
To: [email protected]
Subject: ip based access behind nginx load balancer

To add to my previous mail - turns out that mod_rpaf is not always the
best
choice (as apparently as reported it doesnt work on .htaccess files).

So there is some a bit oldish link to a new module for apache2
mod_realip2
which solves this problem http://www.lexa.ru/nginx-ru/msg20706.html

rr

Thank you for your answers but it did not help me. Because I m using
IIS, tomcat and Apache and I need to resolve for all http server.
When I try to show client’s ip on server , I can see by like this jsp
code " out.print(request.getHeader(“X-Real-IP”));"

but ip based access rules on apache,tomcat and IIS are not
working.Actually I need to not change client’s ip. could ngnix work
transparent mode ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,97154,97237#msg-97237

For “transparent” mode you need a layer 4 load balancer where the
balancing
is done on tcp level rather than http ( which is layer 7 and is done by
nginx ) - something like ‘haproxy’ ( http://haproxy.1wt.eu/ ) or squid (
http://wiki.squid-cache.org/Features/Tproxy4 ).

In short - a simple http proxy can’t do that.

You will also need either an old linux kernel (2.2 which can spoof the
client ips to backends) or afaik since 2.6.28 the tproxy support comes
with
the kernel (older ones you would need to patch (
http://www.balabit.com/support/community/products/tproxy/ ) ).

Using the header method allows you to skip the need of doing all that.

Regarding apache read my previous mail - about mod_realip2 ( it can make
the
webserver to see the request incomming from clients rather than proxy ip
).

While of course nginx could maybe do this also on its own I don’t
really
see this happening as in nginx + ( nginx / apache / lighty etc )
combinations the realip modules of each webserver accomplish the task
pretty
fine in more simple and controllable way. There might be even an easy
solution for IIS to do the same… but as I havent touched it for 10
years
can’t help there :slight_smile:

rr


From: “ahlatci” [email protected]
Sent: Friday, June 11, 2010 8:36 PM
To: [email protected]
Subject: Re: ip based access behind nginx load balancer