Nginx/iptables passing ipclient ip

Hi,

I have nginx reverse proxy setup on a ubuntu server to pass to
webservers…

Setup…

Ubuntu-nginx
eth1 = external_ ip
eth0 = internal_ ip

Webserver 1 ip XX1
webserver 2 ip XX2

nginx is forwarding traffic to webservers…

I tried both…

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

I have iptables for my firewall with proper ports and IPs open…

the ip address I still see in the logs is the eth0 = internal_ ip
I can change the ip the webserver is seeing using POSTROUTING SNAT
iptables…

This lead me to believe I have something miss configured that the Nginx
can
not pass the real client IP to the webservers…

Thanks,

Posted at Nginx Forum:

On Fri, Nov 29, 2013 at 05:44:41PM -0500, Todd@VRG wrote:

Hi there,

nginx is forwarding traffic to webservers…

proxy_set_header X-Forwarded-For $remote_addr;

the ip address I still see in the logs is the eth0 = internal_ ip

Using tcpdump, or otherwise, watch the request going from nginx to the
web server. Does is have what you expect to see in the X-Forwarded-For:
header? If so, nginx is doing all it can do; you must configure the web
server to make use of that header value instead of the address that it
actually sees the connection coming from. That web server documentation
should say how to do that.

f

Francis D. [email protected]

On Fri, Nov 29, 2013 at 11:44 PM, Todd@VRG [email protected] wrote:

I have iptables for my firewall with proper ports and IPs open…

the ip address I still see in the logs is the eth0 = internal_ ip
I can change the ip the webserver is seeing using POSTROUTING SNAT
iptables…

This lead me to believe I have something miss configured that the Nginx can
not pass the real client IP to the webservers…

Disclaimer: maybe I’ve misunderstood you :slight_smile:

Do you realize that “proxy_set_header X-Forwarded-For $remote_addr;”
what would do is change the HTTP header, not the IP header.

What this means is that your internal facing web servers will see IP
traffic with SRC=internal_ip, however if you inspect the HTTP headers
of those requests, you will find that there is and
HTTP.X-Forwarded-For set to $remote_addr;

no more, no less than that :slight_smile:

br

Marc