Nginx realip vs proxypass

Francis Daly francis at daoine.org
Fri Oct 2 12:44:59 UTC 2015


On Fri, Oct 02, 2015 at 12:44:51PM +0200, Marcello Lorenzi wrote:

Hi there,

> we're testing a new nginx implementation to put in front our web
> application to retrieve the X-Forwarded-For header sent by an external
> reverse proxy and configure it as realip address of the requests forwarded
> to we app.

I don't think that that is how it can work.

The tcp connection from nginx to your web app will have the source ip
address of nginx, and the destination ip address of web app.

You would have to run something like the realip module on the web app,
in order that an early part of the web app can pretend to the rest of
the web app that the actual connecting address is something different
from what it really it.

> We have installed nginx with the realip module and from the access log we
> can see the real IP address sent by X-Forwarded-For header but if we try to
> forward the request to the web application via proxypass the address sent
> is the IP of the nginx instance.
> 
> Is it possible via proxypass to present the real IP?

proxy_pass can write whatever IP you want into an application-level
header, such as X-Forwarded-For or X-Real-IP, which your web app can
interpret as it sees fit.

But your web app could do that directly form the current reverse proxy,
without adding nginx.


If you *really* want it, you could investigate adding something that would
play lots of network and routing games to do the NAT that you want. But
that's unrelated to nginx, and possibly not possible.

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list