Hello Maxim,

Thanks for the suggestion. I checked my Haproxy config again, and this is what I use for adding the 'X-Client-IP' header:

option forwardfor header X-Client-IP

In addition, if Haproxy is passing header things like 'X-Client_IP', then why is that the requests routed directly to Tornado (not via Nginx) contain the correct header 'X-Client-IP'? It seem like something happens when the requests go through nginx and the header is dropped.

Below is part of my nginx config, and the last location block is the relevant one here.

worker_processes 2;
pid /var/run/nginx.pid;
daemon off;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

sendfile on;
tcp_nodelay on;
tcp_nopush on;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 15;
send_timeout 15;
server_tokens off;
gzip on;
gzip_http_version 1.1;
gzip_comp_level 3;
gzip_types text/plain text/css
application/x-javascript
application/xml application/xml+rss
text/javascript;
log_format mylog '$remote_addr - $remote_user [$time_local] "$request" $status $sent_http_content_type $body_bytes_sent "$http_referer" "$http_user_agent"';

server {
listen 8484;
server_name www.mysite.com mysite.com;
access_log /home/www-data/logs/nginx_www_access.log;
error_log /home/www-data/logs/nginx_www_error.log debug;
error_page 404 /404.html;
error_page 502 503 504 /50x.html;
error_page 403 /forbidden.html;

root /home/www-data/tornado/mysite/static;

if ( $http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen|video|webcam) ) {
return 405;
}

location ~* (\.jpg|\.png|\.css|\.js|\.html)$ {
valid_referers none blocked www.mysite.com static.mysite.com mysite.com;
if ($invalid_referer) { return 405; }
}

location ^~ /doc/read/ {
if ($uri ~* (\.jpg|\.png|\.css|\.js|\.html)$) { return 404; }
if ($uri !~* /doc/read/[a-zA-Z0-9_-]+/[0-9]+$) { return 404; }
#if ($http_cookie !~* "subject=[.]+") { return 404; }
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
}
}
}