Nginx real_ip module doesn't work in some conditions

Francis Daly francis at daoine.org
Sat Aug 27 23:05:02 UTC 2016 

On Sat, Aug 27, 2016 at 03:02:16PM -0400, romkaltu wrote:

Hi there,

> So I have Nginx proxy and some servers running behind it. I need to know
> real users IP not proxy, so I using real_ip module. Everything is working as
> expected, but if I configure vhost like subdomain.domain.com backend getting
> Nginx proxy IP.

It seems to work for me.

I suppose it is worth making clear: the real_ip module can make some
internal-to-nginx things think that the connection to nginx actually
came from an address different from what it really was.

Does that match what you want the module to do?

As in: what, specifically, do you mean by "backend getting Nginx proxy IP"?

The connection from nginx to the backend will always[*] come from the
nginx IP.

[*] there is a configurable exception; but if you don't know that you
are using it, you are not using it. It needs extra configuration outside
of nginx.

> Here is my Nginx config sample
> 
> set_real_ip_from  192.168.2.0/24;
> real_ip_header    X-Forwarded-For;
> real_ip_recursive on;
> 
> upstream srv1 { server 192.168.2.12:80; }
> 
> server {
>         listen       80;
>         server_name  dev.somedomain.com;
> 
>         location / {
>          proxy_pass  http://srv1;
>        }
> }

> So if I go to somedomain.com backend receiving real IP, no problems here.
> But for dev.somedomain.com backend receiving proxy IP!

Can you give one specific example of what you mean by this?

When I use a config like this, I see no relevant difference in what the
backend gets between requests to somedomain.com and dev.somedomain.com
-- the connection comes from the nginx address, and includes an
X-Forwarded-For header only if the original request included one.

> And this is only shortened example, same situation with different domains
> and subdomains...

I don't see any problem when using the shortened example. Can you describe
more exactly what you see that is not what you want to see?

Thanks,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list