Welcome! Log In Create A New Profile

Advanced

ProxyProtocol with SSL client verification failure does not log client's address

Tomoya Kabe
October 13, 2020 12:16PM
Hello,

I placed nginx behind AWS NLB proxyprotocol enabled, and configured to log
the client's "real" IP

listen 443 ssl proxy_protocol;
set_real_ip_from xxx.xxx.xxx.xxx;
real_ip_header proxy_protocol;
real_ip_recursive on;

and I need to verify clients certificates,
ssl_verify_client on;

are written in my config.

With valid clients, i.e. with valid client certificates, the log is as
expected, logged the client's real IP.
However the load balancer's address is logged when the client does not show
the client certificate.

I expect nginx could log the real IP even if the client verification fails,
because ProxyProtocol has nothing to do with client verification.
Is there anything I should check or fix my configuration, or it's a bug of
nginx?

Note:
* I'm using nginx:1.19.3 docker image in AWS Fargate service.
* I enabled/disabled http2 in listen directive and the result was the same.
* I logged $remote_addr and $realip_remote_addr but these are the same
value when client verification fails.


--
Tomoya KABE
Mail : limit.usus@gmail.com
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ProxyProtocol with SSL client verification failure does not log client's address

Tomoya Kabe October 13, 2020 12:16PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 74
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready