Forum: NGINX Pass real client IP to web servers

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
69b9f74b1de8d0c6e0085b1ca5ba2bd8?d=identicon&s=25 bdroste (Guest)
on 2009-03-26 06:27
(Received via mailing list)
Subject: Pass real client IP to web servers
Author: bdroste

I'm sure this has been asked before, but I can't find an answer.  I'm
running nginx-0.7.44 on a server, load balancing port 80 to port 8080 on
2 other servers running Apache.  I am trying to figure out how to get
Nginx to pass the real IP address of the browser client through to the
web servers.  The web servers always log the IP address of the Nginx
server instead of the client.

A Google search suggested that I needed to run a Apache proxy server on
each of my web servers that then pass the request on to my real web
server, so the headers are rewritten.  That works, but it seems I should
be able to do this with Nginx and not need to run an intermediate web
server just to pass the traffic to my real web servers.

Here is my nginx.conf
-----
worker_processes  4;

events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;

    proxy_set_header  Host $host;
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;

    upstream serverpool {
       server 192.168.20.170:7080;
       server 192.168.20.171:8080;
    }

    server {
        listen 80;
        server_name www.mydomain.com;
        location / {
           proxy_pass http://serverpool;
           proxy_redirect default;
        }
    }
}
----

Any help or clarification on the issue would be greatly appreciated.

Thanks,
Bruce

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,449,449#msg-449
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-03-26 07:12
(Received via mailing list)
On Wed, Mar 25, 2009 at 4:53 PM, bdroste <nginx-list@forum.nginx.org>
wrote:

>    server {
>        listen 80;
>        server_name www.mydomain.com;
>        location / {

maybe put this stuff here

>    proxy_set_header  Host $host;
>    proxy_set_header  X-Real-IP  $remote_addr;
>    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;


>           proxy_pass http://serverpool;
>           proxy_redirect default;
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-03-26 11:58
(Received via mailing list)
Hello!

On Wed, Mar 25, 2009 at 07:53:31PM -0400, bdroste wrote:

> Subject: Pass real client IP to web servers
> Author: bdroste
>
> I'm sure this has been asked before, but I can't find an answer.  I'm running 
nginx-0.7.44 on a server, load balancing port 80 to port 8080 on 2 other servers running 
Apache.  I am trying to figure out how to get Nginx to pass the real IP address of the 
browser client through to the web servers.  The web servers always log the IP address of 
the Nginx server instead of the client.
>
> A Google search suggested that I needed to run a Apache proxy server on each of my web 
servers that then pass the request on to my real web server, so the headers are rewritten. 
That works, but it seems I should be able to do this with Nginx and not need to run an 
intermediate web server just to pass the traffic to my real web servers.

[...]

>     proxy_set_header  X-Real-IP  $remote_addr;
>     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;

You should configure Apache to accept ip address from X-Real-IP or
X-Forwarded-For headers set by nginx (and from nginx server ip).
Take a look at mod_realip or mod_rpaf/mod_rpaf2 apache modules.

As you said that running Apache proxy on each of your web servers
fixes the issue - probably you already have one of the modules
above, but configured to accept X-Real-IP/X-Forwarded-For from
localhost only.

Maxim Dounin
This topic is locked and can not be replied to.