Nginx as Proxy and IP forwarding

Hi All,

I’m in a situation where we have a 3rd party canned app (CF and Java on
IIS) that we want to put behind an nginx proxy server. Unfortunately,
we have no control over the app and or web server so we can not tell it
to use X-Forwarded-For when doing logging, ip restrictions, etc. Is
there anything I can do to make nginx pass the actual client IP without
using alternative headers?

Thanks,

Curtis

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,68228#msg-68228

Hey Curtis,

Maybe im misunderstanding your request here but within nginx its very
easy to attach the x-forwarded-for value and pass it to the next
device/upstream.
All you have to do is set the following variable in your proxy
configuration file (or per config if you choose to do it seperatly for
different upstreams)

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Regards,
Payam

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,68235#msg-68235

Hi Payam,

Thanks for the response, but yes you are slightly misunderstanding,
mainly because I don’t think I was clear enough. IIS can not process
and X-Forwarded-For header without installing a special ISAPI filter.
We can not install the required ISAPI filter because the vendor will not
let us. So we are looking for a way to rewrite the IP address that
nginx uses when making the request from the backend server.

Thanks again,

Curtis

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,68237#msg-68237

I see now, i dont think there would be any other work around if you cant
install the required scripts to allow iis proper understanding of
x-forwarded-for

You could re-write the stack and swap remote_addr for x_forwarded_for
but that would probably break more things and its not something that is
easily done.

im assuming you require x-forward for proper session/user management? if
so, thought about using phpsessid or something similar then match on the
unique cookie and handle the connection properly?

If the issue is more of user authentication via real ip then you could
use LDAP with nginx and try to authenticate users that way

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,68240#msg-68240

On Fri, Mar 26, 2010 at 03:31:45PM -0400, cschiewek wrote:

Hi All,

I’m in a situation where we have a 3rd party canned app (CF and Java on IIS) that we want to put behind an nginx proxy server. Unfortunately, we have no control over the app and or web server so we can not tell it to use X-Forwarded-For when doing logging, ip restrictions, etc. Is there anything I can do to make nginx pass the actual client IP without using alternative headers?

No, nginx does not support this: it requires routing on IP (L3) level.


Igor S.
http://sysoev.ru/en/

and even on layer3 its not so simple to do this, it would require either
a lot of netfilter hooks and perhaps some hacking.

another way to do this is if you were using linux on the end dst_ip
server with a broken tcp stack (like kern 2.2 for example). you could
use nginx to perform mnm spoof connections … but this will not work as
of like 3 years ago =)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,68284#msg-68284

heh exactly my point =)

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,68314#msg-68314

another way to do this is if you were using linux on the end dst_ip server
with a broken tcp stack (like kern 2.2 for example). you could use nginx
to perform mnm spoof connections … but this will not work as of like 3
years ago =)

I doubt he is running IIS on Linux 2.2 :wink:

Best regards,
Piotr S. < [email protected] >

Thank you kindly gentlemen. That what I assumed, and was really just
looking for confirmation.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,68228,69780#msg-69780

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs