Real IP not working?

dubstep · December 4, 2011, 4:12pm

Hi. Nginx 1.0.8 proxying to Apache 2. My version of PHP is 5.3.8, but
that’s irrelevant I suppose.

Nginx is with Real IP module. I have the following in my conf file:

set_real_ip_from   192.168.1.0/24;
set_real_ip_from   192.168.2.1;
set_real_ip_from   127.0.0.1;
set_real_ip_from   [..my server ip..];
real_ip_header     X-Real-IP;

Apache is also with module RPAF. And there’s this bit in httpd.conf:

LoadModule rpaf_module /usr/lib64/httpd/modules/mod_rpaf-2.0.so
<IfModule mod_rpaf.c>
RPAFenable On
RPAFproxy_ips  0.0.0.0  127.0.0.1  [...my server IPs...]
RPAFsethostname On
RPAFheader X-Real-IP
</IfModule>

Yet, in Apache log, the client IPs are not shown. All the IPs in the log
are my own server’s IP!

How can I make sure that Apache shows the end user’s IP?

Posted at Nginx Forum:

pk899 · December 4, 2011, 7:37pm

set_real_ip_from […my server ip…];
RPAFenable On
How can I make sure that Apache shows the end user’s IP?
You shouldn’t use ngx_http_realip_module for issues like this.
Just set X-Real-IP header to $remote_addr variable value
in your location section with ‘proxy_pass’ directive
(or ‘fastcgi_pass’ or whatever you use).

Like the following:

location / {

…
proxy_pass http://<backend_ip>:<backend_port>;
proxy_set_header Host $host;

  proxy_set_header           X-Real-IP        $remote_addr;

…
}

Your mod_rpaf config have already correctly set up to handle X-Real-IP
header
and consider it as the end user’s IP.

Also, you shouldn’t use the RPAFsethostname option turned ‘On’ unless
you
set X-Host header in the nginx config before passing request to backend.
Just turn it ‘Off’.

pk899 · December 4, 2011, 8:16pm

Alexander Kolesen Wrote:

…

    proxy_set_header           Host
Also, you shouldn’t use the RPAFsethostname option
turned ‘On’ unless you
set X-Host header in the nginx config before
passing request to backend. Just turn it ‘Off’.

Thanks Alexander. But this does not work.

I commented all the “set_real_ip_from” in nginx config. Restarted nginx.

Now the “REMOTE_ADDR” in my php code inside Apache is just my server’s
IP. So the real IP is not being passed.

If I enable the “set_real_ip_from” inside nginx config, then my php code
sees the right REMOTE_ADDR. But the log messages inside Apache are wrong
even then…all from my own server IP.

Anyway, my nginx “proxy.inc” is this:


proxy_cache_bypass $http_pragma $http_authorization;
proxy_no_cache $http_pragma $http_authorization;
proxy_temp_file_write_size 512k;
proxy_pass_header Set-Cookie;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Any ideas?

PS: I turned that RPAFsethostname off in apache. This seems harmless
enough.

Posted at Nginx Forum:

pk899 · December 4, 2011, 8:19pm

pk899 Wrote:

location / {
}
passing request to backend. Just turn it ‘Off’.
is just my server’s IP. So the real IP is not
proxy_set_header Referer
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;

Any ideas?

PS: I turned that RPAFsethostname off in apache.
This seems harmless enough.

Btw, just to add…

The HTTP_X_FORWARDED_FOR variable does have the right IP address, but
the “REMOTE_ADDR” does not. The latter has only my own server IP.

What do I need to do?

Posted at Nginx Forum:

pk899 · December 5, 2011, 7:34am

…
to handle X-Real-IP header
Thanks Alexander. But this does not work.

proxy_set_header Accept-Encoding ‘’;
Any ideas?

PS: I turned that RPAFsethostname off in apache. This seems harmless
enough.

Seems like you’re using Apache httpd >=2.0, but your checks
for the 1.3 version.
Just try this:

LoadModule rpaf_module /usr/lib64/httpd/modules/mod_rpaf-2.0.so
+
-
RPAFenable On
RPAFproxy_ips 0.0.0.0 127.0.0.1 […my server IPs…]
RPAFsethostname On
RPAFheader X-Real-IP

pk899 · December 4, 2011, 9:09pm

I’ve got nginx proxying to a lighttpd server (hosted on a DroboPro FS),
and I’m using only the following four directives in the proxy location’s
stanza:

proxy_pass http://
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

This seems to be all that’s necessary. The proxy target’s access log
shows the accessing client’s IP for each request, not the nginx server.

You’ve got a lot more stuff going on in your config, though, so I’m not
sure if this will be helpful to you or not. Maybe you could comment out
some directives and start with just the basics?

-Lee