ProxyProtocol with SSL client verification failure does not log client's address
Tomoya Kabe
limit.usus at gmail.com
Tue Oct 13 16:13:43 UTC 2020
Hello,
I placed nginx behind AWS NLB proxyprotocol enabled, and configured to log
the client's "real" IP
listen 443 ssl proxy_protocol;
set_real_ip_from xxx.xxx.xxx.xxx;
real_ip_header proxy_protocol;
real_ip_recursive on;
and I need to verify clients certificates,
ssl_verify_client on;
are written in my config.
With valid clients, i.e. with valid client certificates, the log is as
expected, logged the client's real IP.
However the load balancer's address is logged when the client does not show
the client certificate.
I expect nginx could log the real IP even if the client verification fails,
because ProxyProtocol has nothing to do with client verification.
Is there anything I should check or fix my configuration, or it's a bug of
nginx?
Note:
* I'm using nginx:1.19.3 docker image in AWS Fargate service.
* I enabled/disabled http2 in listen directive and the result was the same.
* I logged $remote_addr and $realip_remote_addr but these are the same
value when client verification fails.
--
Tomoya KABE
Mail : limit.usus at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20201014/14e5511c/attachment.htm>
More information about the nginx
mailing list