I got through all of that, finally i’m to nginx…
I only have one load balancer at the moment, but given the addition of
a second or third in which I cannot rely on all of the ip addresses to
be expressible any other way than 0.0.0.0/24.
set_real_ip_from 10.0.0.0/24;
real_ip_header X-Forwarded-For;
This simply does not work, however if I put a single load balancers IP
address there, it does. It seems like you guys went out of your way to
make sure that people set /something/ rather than nothing with the
real_ip_header variable which is good, the bad thing is you’re not
leaving me many options as far as overriding the behavior of
preventing me from allowing anybody in the world to send
X-Forwarded-For…
…which doesn’t make any sense because thanks to iptables the only
machine that could ever send that would be my load balancer or
balancers:
ACCEPT tcp – 10.178.101.53 anywhere tcp
dpt:http
ACCEPT tcp – 10.178.101.53 anywhere tcp
dpt:https
I’m begging you guys please. Please don’t save me from myself,
completely. Please. I have absolutely no need for this behavior, given
that stud, my ssl terminator, gets the tcp remote connection ip which
it uses for X-Forwarded-For, which in turn is sent to haproxy… and
the nginx servers only allow connections from the haproxy server…
oh another important thing to mention is that stud runs on the load
balancer server(s). Again there could end up being multiple
stud+haproxy servers that could talk to the nginx nodes… CIDR can’t
express random ip addresses… please fix set_real_ip_from to allow
0.0.0.0/24.
Thank you,
Paige Adele Thompson