I’m in a situation where we have a 3rd party canned app (CF and Java on
IIS) that we want to put behind an nginx proxy server. Unfortunately,
we have no control over the app and or web server so we can not tell it
to use X-Forwarded-For when doing logging, ip restrictions, etc. Is
there anything I can do to make nginx pass the actual client IP without
using alternative headers?
Maybe im misunderstanding your request here but within nginx its very
easy to attach the x-forwarded-for value and pass it to the next
device/upstream.
All you have to do is set the following variable in your proxy
configuration file (or per config if you choose to do it seperatly for
different upstreams)
Thanks for the response, but yes you are slightly misunderstanding,
mainly because I don’t think I was clear enough. IIS can not process
and X-Forwarded-For header without installing a special ISAPI filter.
We can not install the required ISAPI filter because the vendor will not
let us. So we are looking for a way to rewrite the IP address that
nginx uses when making the request from the backend server.
I see now, i dont think there would be any other work around if you cant
install the required scripts to allow iis proper understanding of
x-forwarded-for
You could re-write the stack and swap remote_addr for x_forwarded_for
but that would probably break more things and its not something that is
easily done.
im assuming you require x-forward for proper session/user management? if
so, thought about using phpsessid or something similar then match on the
unique cookie and handle the connection properly?
If the issue is more of user authentication via real ip then you could
use LDAP with nginx and try to authenticate users that way
On Fri, Mar 26, 2010 at 03:31:45PM -0400, cschiewek wrote:
Hi All,
I’m in a situation where we have a 3rd party canned app (CF and Java on IIS) that we want to put behind an nginx proxy server. Unfortunately, we have no control over the app and or web server so we can not tell it to use X-Forwarded-For when doing logging, ip restrictions, etc. Is there anything I can do to make nginx pass the actual client IP without using alternative headers?
No, nginx does not support this: it requires routing on IP (L3) level.
and even on layer3 its not so simple to do this, it would require either
a lot of netfilter hooks and perhaps some hacking.
another way to do this is if you were using linux on the end dst_ip
server with a broken tcp stack (like kern 2.2 for example). you could
use nginx to perform mnm spoof connections … but this will not work as
of like 3 years ago =)
another way to do this is if you were using linux on the end dst_ip server
with a broken tcp stack (like kern 2.2 for example). you could use nginx
to perform mnm spoof connections … but this will not work as of like 3
years ago =)