NginX SSL reverse mode, client ip address problem

Aleksandar Lazic al-nginx at none.at
Sun Dec 6 10:17:53 UTC 2015


Hi WANJUNE.

Am 06-12-2015 07:14, schrieb WANJUNE:
> In NginX reverse mode,
> 
> There is a problem that can't get real client's Ip address.

[snipp]

> I don't want to use http ssl listen becase of SSL handshaking burden on
> NginX.
> 
> I decided to use stream codec like below.
> 
> stream {
>     upstream aa34 {
>         zone first_row 64k;
>         server google.com fail_timeout=5s;
>     }
>     server {
>         listen 127.0.0.1:8081;
>         location / {
>             proxy_pass https://aa34;
>     }
> }
> In this case, I think I can't specify any http related parameters like
> 'X-forwarded-for'.
> Is there any way to change source ip address of TCP/IP Protocol 
> header(Ip
> Header) to client's real Ip ?

How about to use the proxy protocol?
http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt

This option was introduced in 1.9.2

##############
http://nginx.org/en/CHANGES
Changes with nginx 1.9.2                                         16 Jun 
2015

*) Feature: the "proxy_protocol" directive in the stream module.
##############

It's not yet in the documentation but in the code ;-)

http://nginx.org/en/docs/stream/ngx_stream_core_module.html

I would suggest to use the following line

          server <YOUR_SERVER> fail_timeout=5s proxy_protocol;

and on the origin server, in case it is nginx, this.

http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

listen ..... proxy_protocol ....;

If your destiation server is not able to read the proxy protocol then 
you only DSR (direct Server Return) is able to show you the client IP.

Cheers Aleks



More information about the nginx mailing list