Welcome! Log In Create A New Profile

Advanced

Nginx real_ip_recursive

September 15, 2014 09:11AM
Hello,

I am using nginx to proxy connections to a server I have written in Java, which serves connections on port 8080. I am trying to use the X-Forwarded-For header to identify the real IP address of a connection, but I am running into difficulties with the nginx setting real_ip_recursive.

My nginx config file example_vhost in /etc/nginx/sites-enabled/:

server {
listen *:80;

server_name example.com;

index index.html index.htm index.php;

location / {

proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
}

This proxies requests onto my server as I expect, but I do not receive the correct IP address in the X-Forwarded-For header. If I connect to the server from a different IP address, spoofing the X-Forwarded-For header, I do not get the IP address of the machine, but rather get the spoofed addresses.

Example with curl on client machine 10.0.2.2:
$ curl -I --header "X-Forwarded-For: 1.1.1.1, 2.2.2.2" 10.0.2.15

Headers as received by my proxied Java server (extracted using tcpdump) on server machine 10.0.2.15:
$ sudo /usr/sbin/tcpdump -i lo -A -s 0 'tcp port 8080 and (
((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
13:50:13.338901 IP localhost.50997 > localhost.8080: Flags [P.], seq 3051450771:
3051450976, ack 3527489033, win 4099, options [nop,nop,TS val 1891289 ecr 189128
9], length 205
E....M@.@............5"...q..A6 ...........
........HEAD / HTTP/1.0
Host: localhost
X-Real-IP: 10.0.2.2
Connection: close
User-Agent: curl/7.30.0
Accept: */*
X-Forwarded-For: 1.1.1.1, 2.2.2.2

I assume I have got the nginx configuration wrong, but I am not sure how. I am using nginx/1.6.1 on debian Wheezy 7.6, and the output of nginx -V includes --with-http_realip_module.

Thanks for any help in advance.
Subject Author Posted

Nginx real_ip_recursive

ianjoneill September 15, 2014 09:11AM

Re: Nginx real_ip_recursive

Maxim Dounin September 15, 2014 09:26AM

Re: Nginx real_ip_recursive

ianjoneill September 15, 2014 09:41AM

Re: Nginx real_ip_recursive

Maxim Dounin September 15, 2014 11:14AM

Re: Nginx real_ip_recursive

ianjoneill September 15, 2014 11:41AM

Re: Nginx real_ip_recursive

Maxim Dounin September 15, 2014 03:16PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 75
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready