|
Nginx and real client ip February 25, 2016 11:02AM |
Registered: 8 years ago Posts: 1 |
|
Re: Nginx and real client ip February 26, 2016 08:40AM |
Admin Registered: 15 years ago Posts: 574 |
Hello,
In order to do so you must enable the ngx_http_realip_module when compiling. See http://nginx.org/en/docs/http/ngx_http_realip_module.html
The following is a snippet from a working configuration. This is the front end nginx which passes to a backend nginx running in a jail and listening on 8000:
location / {
proxy_pass http://10.0.2.7:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
....
}
The backend runs nginx proxying to an Apache/php5.6 backend listening on 8080 using mod_rpaf2:
http {
...
set_real_ip_from 10.0.2.0/30;
...
server {
....
location ~ \.php$ {
proxy_pass http://10.0.2.7:8080;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
}
....
}
}
The reason for this setup is this is an old script which needs to be jailed for security reasons. The jailed nginx instance serves static content back to the front end nginx instance which stores them using proxy_cache if appropriate, and Apache serves PHP and gets the correct remote address. You can prove that by using $http_x_real_ip in your log_format directive. Otherwise, it would read all requests as coming from the internal IP.
--
Jim Ohlstein
In order to do so you must enable the ngx_http_realip_module when compiling. See http://nginx.org/en/docs/http/ngx_http_realip_module.html
The following is a snippet from a working configuration. This is the front end nginx which passes to a backend nginx running in a jail and listening on 8000:
location / {
proxy_pass http://10.0.2.7:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
....
}
The backend runs nginx proxying to an Apache/php5.6 backend listening on 8080 using mod_rpaf2:
http {
...
set_real_ip_from 10.0.2.0/30;
...
server {
....
location ~ \.php$ {
proxy_pass http://10.0.2.7:8080;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
}
....
}
}
The reason for this setup is this is an old script which needs to be jailed for security reasons. The jailed nginx instance serves static content back to the front end nginx instance which stores them using proxy_cache if appropriate, and Apache serves PHP and gets the correct remote address. You can prove that by using $http_x_real_ip in your log_format directive. Otherwise, it would read all requests as coming from the internal IP.
--
Jim Ohlstein
Sorry, only registered users may post in this forum.
Online Users
Guests:
185
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|