Nginx real_ip_recursive

ianjoneill nginx-forum at nginx.us
Mon Sep 15 13:11:37 UTC 2014 

Hello,

I am using nginx to proxy connections to a server I have written in Java,
which serves connections on port 8080. I am trying to use the
X-Forwarded-For header to identify the real IP address of a connection, but
I am running into difficulties with the nginx setting real_ip_recursive.

My nginx config file example_vhost in /etc/nginx/sites-enabled/:

server {
  listen                *:80;

  server_name           example.com;

    index  index.html index.htm index.php;

  location / {

    proxy_pass          http://127.0.0.1:8080;
    proxy_read_timeout  90;
    proxy_connect_timeout  90;
    proxy_redirect  off;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    #proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    set_real_ip_from    127.0.0.1;
    real_ip_header      X-Forwarded-For;
    real_ip_recursive   on;
  }
}

This proxies requests onto my server as I expect, but I do not receive the
correct IP address in the X-Forwarded-For header. If I connect to the server
from a different IP address, spoofing the X-Forwarded-For header, I do not
get the IP address of the machine, but rather get the spoofed addresses.

Example with curl on client machine 10.0.2.2:
$ curl -I --header "X-Forwarded-For: 1.1.1.1, 2.2.2.2" 10.0.2.15

Headers as received by my proxied Java server (extracted using tcpdump) on
server machine 10.0.2.15:
$ sudo /usr/sbin/tcpdump -i lo -A -s 0 'tcp port 8080 and (
((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
13:50:13.338901 IP localhost.50997 > localhost.8080: Flags [P.], seq
3051450771:
3051450976, ack 3527489033, win 4099, options [nop,nop,TS val 1891289 ecr
189128
9], length 205
E....M at .@............5"...q..A6 ...........
........HEAD / HTTP/1.0
Host: localhost
X-Real-IP: 10.0.2.2
Connection: close
User-Agent: curl/7.30.0
Accept: */*
X-Forwarded-For: 1.1.1.1, 2.2.2.2

I assume I have got the nginx configuration wrong, but I am not sure how. I
am using nginx/1.6.1 on debian Wheezy 7.6, and the output of nginx -V
includes --with-http_realip_module.

Thanks for any help in advance.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253247,253247#msg-253247

More information about the nginx mailing list