Nginx/iptables passing ipclient ip

Marc Aymerich glicerinu at gmail.com
Sat Nov 30 11:21:26 UTC 2013


On Fri, Nov 29, 2013 at 11:44 PM, Todd at VRG <nginx-forum at nginx.us> wrote:
> Hi,
>
> I have nginx reverse proxy setup on a ubuntu server to pass to webservers...
>
>
> Setup..
>
> Ubuntu-nginx
> eth1 = external_ ip
> eth0 = internal_ ip
>
> Webserver 1 ip XX1
> webserver 2 ip XX2
>
> nginx is forwarding traffic to webservers..
>
> I tried both..
>
> proxy_set_header X-Forwarded-For $remote_addr;
>
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> I have iptables for my firewall with proper ports and IPs open..
>
> the ip address I still see in the logs is the eth0 = internal_ ip
> I can change the ip the webserver is seeing using POSTROUTING SNAT
> iptables..
>
> This lead me to believe I have something miss configured that the Nginx can
> not pass the real client IP to the webservers..

Disclaimer: maybe I've misunderstood you :)

Do you realize that "proxy_set_header X-Forwarded-For $remote_addr;"
what would do is change the HTTP header, not the IP header.

What this means is that your internal facing web servers will see IP
traffic with SRC=internal_ip, however if you inspect the HTTP headers
of those requests, you will find that there is and
HTTP.X-Forwarded-For set to $remote_addr;

no more, no less than that :)

br
--
Marc



More information about the nginx mailing list