nginx reverse proxy и nginx backend не пропускает ip

Ср Авг 9 12:54:24 UTC 2017

Всем привет.
nginx frontend:
server{
...
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_redirect off;
                proxy_connect_timeout 2s;
                proxy_pass https://office;
        }
}
nginx version: nginx/1.13.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-http_stub_status_module
--with-http_flv_module --with-http_mp4_module --with-http_realip_module

=======================

nginx backend:
server {
......
location / {
.....
        location ^~ /restricted {
                allow 1.2.3.4;
                deny all;
                location ~ \.php$ {
                        try_files $uri =404;
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        fastcgi_pass 127.0.0.1:9000;
                        fastcgi_index index.php;
                        fastcgi_read_timeout 300;
                        fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
                        fastcgi_intercept_errors on;
                        include fastcgi_params;
                }
}
}
nginx version: nginx/1.13.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module
--with-file-aio --with-threads --with-http_mp4_module --with-http_flv_module
--with-http_realip_module

====================

Отдает 403. В логе:
1.1.1.1 - - [09/Aug/2017:21:50:07 +0900] "GET /pwned/ HTTP/1.0" 403 564 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/59.0.3071.115 Safari/537.36" "1.2.3.4"
1.1.1.1 - - [09/Aug/2017:21:50:08 +0900] "GET /favicon.ico HTTP/1.0" 200
1150 "https://office.mytona.com/pwned/" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115
Safari/537.36" "1.2.3.4"
где 1.1.1.1 это адрес frontend а 1.2.3.4 адрес backend.
логформат на backend:
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent"' 'http_x_forwarded_for =
$http_x_forwarded_for, real_ip_remote_addr = $realip_remote_addr';
Судя по логу x-forwarded-for проходит в remote_addr сохраняется адрес
reverse proxy.
Как жить?

Posted at Nginx Forum: https://forum.nginx.org/read.php?21,275983,275983#msg-275983