Всем привет.
nginx frontend:
server{
...
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_redirect off;
proxy_connect_timeout 2s;
proxy_pass https://office;
}
}
nginx version: nginx/1.13.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_realip_module
=======================
nginx backend:
server {
......
location / {
.....
location ^~ /restricted {
allow 1.2.3.4;
deny all;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_read_timeout 300;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
}
nginx version: nginx/1.13.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module --with-file-aio --with-threads --with-http_mp4_module --with-http_flv_module --with-http_realip_module
====================
Отдает 403. В логе:
1.1.1.1 - - [09/Aug/2017:21:50:07 +0900] "GET /pwned/ HTTP/1.0" 403 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" "1.2.3.4"
1.1.1.1 - - [09/Aug/2017:21:50:08 +0900] "GET /favicon.ico HTTP/1.0" 200 1150 "https://office.mytona.com/pwned/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" "1.2.3.4"
где 1.1.1.1 это адрес frontend а 1.2.3.4 адрес backend.
логформат на backend:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' 'http_x_forwarded_for = $http_x_forwarded_for, real_ip_remote_addr = $realip_remote_addr';
Судя по логу x-forwarded-for проходит в remote_addr сохраняется адрес reverse proxy.
Как жить?
