NginX SSL reverse mode, client ip address problem

In NginX reverse mode,

There is a problem that can’t get real client’s Ip address.

If I use Http protocol, I can simply handle this problem with below http
configuration.

http {
server {
listen 80;
location / {
proxy_set_header X-forwarded-for;
proxy_pass http://destAddress;
}
}
}

The problem is in SSL.

I don’t want to use http ssl listen becase of SSL handshaking burden on
NginX.

I decided to use stream codec like below.

stream {
upstream aa34 {
zone first_row 64k;
server google.com fail_timeout=5s;
}
server {
listen 127.0.0.1:8081;
location / {
proxy_pass https://aa34;
}
}
In this case, I think I can’t specify any http related parameters like
‘X-forwarded-for’.
Is there any way to change source ip address of TCP/IP Protocol
header(Ip
Header) to client’s real Ip ?

Thanks.

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,263299,263299#msg-263299

Hi WANJUNE.

Am 06-12-2015 07:14, schrieb WANJUNE:

In NginX reverse mode,

There is a problem that can’t get real client’s Ip address.

[snipp]

server {
    listen 127.0.0.1:8081;
    location / {
        proxy_pass https://aa34;
}

}
In this case, I think I can’t specify any http related parameters like
‘X-forwarded-for’.
Is there any way to change source ip address of TCP/IP Protocol
header(Ip
Header) to client’s real Ip ?

How about to use the proxy protocol?
http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt

This option was introduced in 1.9.2

##############
http://nginx.org/en/CHANGES
Changes with nginx 1.9.2 16 Jun
2015

*) Feature: the “proxy_protocol” directive in the stream module.
##############

It’s not yet in the documentation but in the code :wink:

http://nginx.org/en/docs/stream/ngx_stream_core_module.html

I would suggest to use the following line

      server <YOUR_SERVER> fail_timeout=5s proxy_protocol;

and on the origin server, in case it is nginx, this.

http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

listen … proxy_protocol …;

If your destiation server is not able to read the proxy protocol then
you only DSR (direct Server Return) is able to show you the client IP.

Cheers Aleks

Aleks, I’m really thank you for your timely response.
I checked “proxy_protocol on;” option is working fine and watched the L4
machine send proxy protocol header like “PROXY TCP4 [Ip1] [Ip2] [Port1]
[Port2]”.
Really thank you.

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,263299,263302#msg-263302

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs