Nginx problem with allow when forwarding through 2 proxy's


#1

Schema:

nginx1 -> nginx2 -> apache

On nginx2 i’ve got stub status module, and I want to allow only one ip
to view the data.
But when I add the directive, it won’t work, because nginx2 sees that
connection came from nginx1 which is on the same machine as nginx2 so
client ip would be 127.0.0.1.

Is that a bug or it should be that way?


#2

Hello!

On Thu, Dec 18, 2008 at 12:55:58PM +0100, Tomasz P. wrote:

Is that a bug or it should be that way?
http://wiki.codemongers.com/NginxHttpRealIpModule

Maxim D.


#3

i think we misunderstood each other, nginx2 conf:

location / {
set $my_host maintenance.my_domain;
if ($remote_addr ~ ip.address) { set $my_host $host; }
proxy_pass http://127.0.0.1:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $my_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

based on $remote_addr i show proper page or just maintenance page for
users when I need to, but now when I have another nginx (nginx1) in
front of nginx2 this won’t work, because nginx2 sees $remote_addr as the
address of nginx1

same goes for allow directive, wont work on nginx2


#4

On Fri, Dec 19, 2008 at 11:40:15AM +0100, Tomasz P. wrote:

based on $remote_addr i show proper page or just maintenance page for
users when I need to, but now when I have another nginx (nginx1) in
front of nginx2 this won’t work, because nginx2 sees $remote_addr as the
address of nginx1

Maxim has showed the right link. You need to change $remote_addr on
nginx2
to X-Real-Ip value. Howeverm in you case you may simply use
$http_x_real_ip:

location / {
     set $my_host maintenance.my_domain;
     if ($http_x_real_ip ~ ip.address) { set $my_host $host; }
     proxy_pass http://127.0.0.1:8080;
     proxy_set_header Host $my_host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 }

Also you do not need to set

 proxy_set_header X-Real-IP $remote_addr;

on nginx2 as nginx1 has already set X-Real-IP to client’s address.