Stud -> Haproxy -> and Nginx; nginx real_ip_header isn't working as expected, can't scale

I got through all of that, finally i’m to nginx…

I only have one load balancer at the moment, but given the addition of
a second or third in which I cannot rely on all of the ip addresses to
be expressible any other way than 0.0.0.0/24.

set_real_ip_from 10.0.0.0/24;
real_ip_header X-Forwarded-For;

This simply does not work, however if I put a single load balancers IP
address there, it does. It seems like you guys went out of your way to
make sure that people set /something/ rather than nothing with the
real_ip_header variable which is good, the bad thing is you’re not
leaving me many options as far as overriding the behavior of
preventing me from allowing anybody in the world to send
X-Forwarded-For…

…which doesn’t make any sense because thanks to iptables the only
machine that could ever send that would be my load balancer or
balancers:

ACCEPT tcp – 10.178.101.53 anywhere tcp
dpt:http
ACCEPT tcp – 10.178.101.53 anywhere tcp
dpt:https

I’m begging you guys please. Please don’t save me from myself,
completely. Please. I have absolutely no need for this behavior, given
that stud, my ssl terminator, gets the tcp remote connection ip which
it uses for X-Forwarded-For, which in turn is sent to haproxy… and
the nginx servers only allow connections from the haproxy server…

oh another important thing to mention is that stud runs on the load
balancer server(s). Again there could end up being multiple
stud+haproxy servers that could talk to the nginx nodes… CIDR can’t
express random ip addresses… please fix set_real_ip_from to allow
0.0.0.0/24.

Thank you,

Paige Adele Thompson
http://paigeat.info
[email protected]

On Fri, Aug 31, 2012 at 11:32:13AM -0700, Thompson, Paige wrote:

Hi there,

I only have one load balancer at the moment, but given the addition of
a second or third in which I cannot rely on all of the ip addresses to
be expressible any other way than 0.0.0.0/24.

set_real_ip_from 10.0.0.0/24;

You’ve used two different cidr addresses there. It’s not clear which
one you actually mean.

Are you aware that 10.0.0.0/24 means “10.0.0.anything”?

If you want “10.anything”, that is 10.0.0.0/8.

real_ip_header X-Forwarded-For;

This simply does not work, however if I put a single load balancers IP
address there, it does.

It looks to me like it should work.

And a quick test of

curl -i -H ‘X-Forwarded-For: 10.0.1.99’ http://localhost:8080/

shows “10.0.1.99” as the first field in access.log.

What does your set_real_ip_from directive say? And what is the IP
address
of the load balancer that is talking to nginx?

I suspect that when you configure it right, nginx will work fine.

Good luck with it,

f

Francis D. [email protected]

On Fri, Aug 31, 2012 at 11:34:45PM +0100, Francis D. wrote:

On Fri, Aug 31, 2012 at 11:32:13AM -0700, Thompson, Paige wrote:

Hi there,

And a quick test of

curl -i -H ‘X-Forwarded-For: 10.0.1.99’ http://localhost:8080/

shows “10.0.1.99” as the first field in access.log.

…when my source address was 127.0.0.1 and my important other directive
was

set_real_ip_from 127.0.0.0/16;

in order to include my source address in the set_real_ip_from network

f

Francis D. [email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs