Nginx removes X-Client-IP header added by loadbalancer

Maxim Dounin mdounin at
Mon Dec 10 02:58:57 UTC 2012


On Sun, Dec 09, 2012 at 08:30:39PM -0500, mrtn wrote:

> Hello Maxim,
> Thanks for the suggestion. I checked my Haproxy config again, and this is
> what I use for adding the 'X-Client-IP' header:
> option forwardfor header X-Client-IP
> In addition, if Haproxy is passing header things like 'X-Client_IP', then
> why is that the requests routed directly to Tornado (not via Nginx) contain
> the correct header 'X-Client-IP'? It seem like something happens when the
> requests go through nginx and the header is dropped.

Usually headers are accessed by a backend code via CGI-like 
environment variables like HTTP_X_CLIENT_IP, which makes it 
impossible to distinguish "_" from "-", that's why I suggested the 
"_" as a most likely reason.

> Below is part of my nginx config, and the last location block is the
> relevant one here.

There is nothing which may cause such a behaviour in your config, 
but the "part" part is what always leaves a room for speculations.

By default nginx doesn't removes any X-* headers from proxied 
requests.  If the header was indeed removed (i.e. you see it on 
the wire before nginx, but not between nginx and a backend) it may 
indicate one of the following:

1) The header was ignored as invalid, e.g. due to underscore in 
it's name.  Check nginx logs for "client sent invalid header line" 
messages at info level, it might provide additional information.

2) The header was hidden by proxy configuration, either by 
proxy_set_header with the exact name, or using 

3) Something really bad happened which prevented request from 
being parsed correctly.

In either case debug log 
( should provide 
enough info to diagnose the problem.  Actually looking on the data 
on the wire (e.g. with "tcpdump -Xs0" might also help).

Maxim Dounin

More information about the nginx mailing list