Nginx/iptables passing ipclient ip

Marc Aymerich glicerinu at
Sat Nov 30 11:21:26 UTC 2013

On Fri, Nov 29, 2013 at 11:44 PM, Todd at VRG <nginx-forum at> wrote:
> Hi,
> I have nginx reverse proxy setup on a ubuntu server to pass to webservers...
> Setup..
> Ubuntu-nginx
> eth1 = external_ ip
> eth0 = internal_ ip
> Webserver 1 ip XX1
> webserver 2 ip XX2
> nginx is forwarding traffic to webservers..
> I tried both..
> proxy_set_header X-Forwarded-For $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> I have iptables for my firewall with proper ports and IPs open..
> the ip address I still see in the logs is the eth0 = internal_ ip
> I can change the ip the webserver is seeing using POSTROUTING SNAT
> iptables..
> This lead me to believe I have something miss configured that the Nginx can
> not pass the real client IP to the webservers..

Disclaimer: maybe I've misunderstood you :)

Do you realize that "proxy_set_header X-Forwarded-For $remote_addr;"
what would do is change the HTTP header, not the IP header.

What this means is that your internal facing web servers will see IP
traffic with SRC=internal_ip, however if you inspect the HTTP headers
of those requests, you will find that there is and
HTTP.X-Forwarded-For set to $remote_addr;

no more, no less than that :)


More information about the nginx mailing list