Nginx removes X-Client-IP header added by loadbalancer
mdounin at mdounin.ru
Mon Dec 10 02:58:57 UTC 2012
On Sun, Dec 09, 2012 at 08:30:39PM -0500, mrtn wrote:
> Hello Maxim,
> Thanks for the suggestion. I checked my Haproxy config again, and this is
> what I use for adding the 'X-Client-IP' header:
> option forwardfor header X-Client-IP
> In addition, if Haproxy is passing header things like 'X-Client_IP', then
> why is that the requests routed directly to Tornado (not via Nginx) contain
> the correct header 'X-Client-IP'? It seem like something happens when the
> requests go through nginx and the header is dropped.
Usually headers are accessed by a backend code via CGI-like
environment variables like HTTP_X_CLIENT_IP, which makes it
impossible to distinguish "_" from "-", that's why I suggested the
"_" as a most likely reason.
> Below is part of my nginx config, and the last location block is the
> relevant one here.
There is nothing which may cause such a behaviour in your config,
but the "part" part is what always leaves a room for speculations.
By default nginx doesn't removes any X-* headers from proxied
requests. If the header was indeed removed (i.e. you see it on
the wire before nginx, but not between nginx and a backend) it may
indicate one of the following:
1) The header was ignored as invalid, e.g. due to underscore in
it's name. Check nginx logs for "client sent invalid header line"
messages at info level, it might provide additional information.
2) The header was hidden by proxy configuration, either by
proxy_set_header with the exact name, or using
3) Something really bad happened which prevented request from
being parsed correctly.
In either case debug log
(http://nginx.org/en/docs/debugging_log.html) should provide
enough info to diagnose the problem. Actually looking on the data
on the wire (e.g. with "tcpdump -Xs0" might also help).
More information about the nginx