'real_ip_header proxy_protocol' don't change the client address

Maxim Dounin mdounin at mdounin.ru
Thu Sep 28 13:54:41 UTC 2017


Hello!

On Wed, Sep 27, 2017 at 10:38:45PM -0400, fengx wrote:

> The config is rather simple as following. My test version is 1.7.2, a bit
> old. I can't upgrade to the latest one in our production for now. Anyway I
> think it should work in 1.7.2 because the document says proxy_protocol was
> introduced from 1.5.12.
> 
> http {
>     log_format combined '$proxy_protocol_addr - $remote_addr - $remote_user
> [$time_local] '
>                         '"$request" $status $body_bytes_sent '
>                         '"$http_referer" "$http_user_agent"';
>     ...
> 
>     server {
>         server_name www.abc.com;
> 
>         listen 80;
>         listen 8181 proxy_protocol;
> 
>         real_ip_header   proxy_protocol;
>         real_ip_recursive on;
>         set_real_ip_from 192.168.1.0/24;
> 
>         location / {
>             ...
>         }
>     }
> }

And how do you test?

Exactly the same config, and even with exctly the same version of 
nginx works fine here:

$ telnet localhost 8181
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
PROXY TCP4 10.0.0.1 10.0.0.2 1 2  
GET / HTTP/1.0

HTTP/1.1 200 OK
Server: nginx/1.7.2
Date: Thu, 28 Sep 2017 13:48:09 GMT
Content-Type: text/plain
Content-Length: 19
Connection: close

10.0.0.1 127.0.0.1
Connection closed by foreign host.

Where the response body is a result of 

            return 200 "$proxy_protocol_addr $remote_addr\n";

in location /.  Corresponding log line:

10.0.0.1 - 127.0.0.1 - - [28/Sep/2017:16:48:09 +0300] "GET / HTTP/1.0" 200 19 "-" "-"

Note well that this is not a good idea to run nginx 1.7.2 in 
production.  It is a long obsolete version of the mainline branch, 
it is not supported for more than 3 years now, and has known 
security issues, see http://nginx.org/en/security_advisories.html.

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx mailing list