NginX SSL reverse mode, client ip address problem
Aleksandar Lazic
al-nginx at none.at
Sun Dec 6 10:17:53 UTC 2015
Hi WANJUNE.
Am 06-12-2015 07:14, schrieb WANJUNE:
> In NginX reverse mode,
>
> There is a problem that can't get real client's Ip address.
[snipp]
> I don't want to use http ssl listen becase of SSL handshaking burden on
> NginX.
>
> I decided to use stream codec like below.
>
> stream {
> upstream aa34 {
> zone first_row 64k;
> server google.com fail_timeout=5s;
> }
> server {
> listen 127.0.0.1:8081;
> location / {
> proxy_pass https://aa34;
> }
> }
> In this case, I think I can't specify any http related parameters like
> 'X-forwarded-for'.
> Is there any way to change source ip address of TCP/IP Protocol
> header(Ip
> Header) to client's real Ip ?
How about to use the proxy protocol?
http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt
This option was introduced in 1.9.2
##############
http://nginx.org/en/CHANGES
Changes with nginx 1.9.2 16 Jun
2015
*) Feature: the "proxy_protocol" directive in the stream module.
##############
It's not yet in the documentation but in the code ;-)
http://nginx.org/en/docs/stream/ngx_stream_core_module.html
I would suggest to use the following line
server <YOUR_SERVER> fail_timeout=5s proxy_protocol;
and on the origin server, in case it is nginx, this.
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
listen ..... proxy_protocol ....;
If your destiation server is not able to read the proxy protocol then
you only DSR (direct Server Return) is able to show you the client IP.
Cheers Aleks
More information about the nginx
mailing list