Forum: NGINX Setting remote addr to contents of header

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
1067916bdca9347542c035fdb7430083?d=identicon&s=25 Paul Dlug (Guest)
on 2009-04-16 00:45
(Received via mailing list)
I'm running nginx beyind a L7 proxy (haproxy), I have haproxy setting
the X-Forwarded-For header and I'm using this to log the real IP of
the client and pass it to other processes that I'm proxying with nginx
(mongrels, apache, etc.). This works just great but I would like to be
able to use nginx directives to control access (allow, deny, etc.).
These don't work since nginx itself sees the remote_addr as the IP of
the haproxy server.

Any suggestions? I would think a solution like mod_rpaf for apache
would be ideal.


Thanks,
Paul
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-04-16 01:02
(Received via mailing list)
Hello!

On Wed, Apr 15, 2009 at 06:37:36PM -0400, Paul Dlug wrote:

> I'm running nginx beyind a L7 proxy (haproxy), I have haproxy setting
> the X-Forwarded-For header and I'm using this to log the real IP of
> the client and pass it to other processes that I'm proxying with nginx
> (mongrels, apache, etc.). This works just great but I would like to be
> able to use nginx directives to control access (allow, deny, etc.).
> These don't work since nginx itself sees the remote_addr as the IP of
> the haproxy server.
>
> Any suggestions? I would think a solution like mod_rpaf for apache
> would be ideal.

http://wiki.nginx.org/NginxHttpRealIpModule

Maxim Dounin
1067916bdca9347542c035fdb7430083?d=identicon&s=25 Paul Dlug (Guest)
on 2009-04-16 07:01
(Received via mailing list)
The realip module only sets the X-Forwarded-For header based on an
upstream header. It doesn't set the value of the client IP in the
nginx request object which is what is needed to get directives like
allow/deny to work.
96321bb7fd6f712aa7785ce2d58388f2?d=identicon&s=25 Anton Yuzhaninov (Guest)
on 2009-04-16 09:45
(Received via mailing list)
Paul Dlug wrote:
> The realip module only sets the X-Forwarded-For header based on an
> upstream header. It doesn't set the value of the client IP in the
> nginx request object which is what is needed to get directives like
> allow/deny to work.

ngx_http_realip_module override client IP in the nginx request
object based on value from request header.

If allow/deny don't work as need try to check set_real_ip_from and
real_ip_header settings.
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-04-16 10:30
(Received via mailing list)
Hello!

On Thu, Apr 16, 2009 at 12:52:01AM -0400, Paul Dlug wrote:

> The realip module only sets the X-Forwarded-For header based on an
> upstream header. It doesn't set the value of the client IP in the
> nginx request object which is what is needed to get directives like
> allow/deny to work.

No, you are wrong.  Try re-reading docs.

Maxim Dounin
1067916bdca9347542c035fdb7430083?d=identicon&s=25 Paul Dlug (Guest)
on 2009-04-16 10:48
(Received via mailing list)
On Thu, Apr 16, 2009 at 4:20 AM, Maxim Dounin <mdounin@mdounin.ru>
wrote:
> Hello!
>
> On Thu, Apr 16, 2009 at 12:52:01AM -0400, Paul Dlug wrote:
>
>> The realip module only sets the X-Forwarded-For header based on an
>> upstream header. It doesn't set the value of the client IP in the
>> nginx request object which is what is needed to get directives like
>> allow/deny to work.
>
> No, you are wrong.  Try re-reading docs.

Thanks, I got it, it was my original mis-reading of the docs. I hadn't
realized that set_real_ip_from had to be set at all times.


--Paul
This topic is locked and can not be replied to.