nginx problem with allow when forwarding through 2 proxy's

[Igor Sysoev]

On Fri, Dec 19, 2008 at 11:40:15AM +0100, Tomasz Pajor wrote:

> i think we misunderstood each other, nginx2 conf:
> 
> location / {
>  set $my_host maintenance.my_domain;
>  if ($remote_addr ~ ip.address) { set $my_host $host; }
>  proxy_pass http://127.0.0.1:8080/;
>  proxy_set_header X-Real-IP $remote_addr;
>  proxy_set_header Host $my_host;
>  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> }
> 
> based on $remote_addr i show proper page or just maintenance page for 
> users when I need to, but now when I have another nginx (nginx1) in 
> front of nginx2 this won't work, because nginx2 sees $remote_addr as the 
> address of nginx1

Maxim has showed the right link. You need to change $remote_addr on nginx2
to X-Real-Ip value. Howeverm in you case you may simply use $http_x_real_ip:

    location / {
         set $my_host maintenance.my_domain;
         if ($http_x_real_ip ~ ip.address) { set $my_host $host; }
         proxy_pass http://127.0.0.1:8080;
         proxy_set_header Host $my_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }

Also you do not need to set

     proxy_set_header X-Real-IP $remote_addr;

on nginx2 as nginx1 has already set X-Real-IP to client's address.

> same goes for allow directive, wont work on nginx2
> >>Schema:
> >>
> >>nginx1 -> nginx2 -> apache
> >>
> >>On nginx2 i've got stub status module, and I want to allow only one ip  
> >>to view the data.
> >>But when I add the directive, it won't work, because nginx2 sees that  
> >>connection came from nginx1 which is on the same machine as nginx2 so  
> >>client ip would be 127.0.0.1.
> >>
> >>Is that a bug or it should be that way?
> >>    
> >
> >http://wiki.codemongers.com/NginxHttpRealIpModule
> >
> >Maxim Dounin
> >
> >  
> 

-- 
Igor Sysoev
http://sysoev.ru/en/