Reverse proxy configuration on el7

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Thu May 7 03:07:07 UTC 2015


Hello!

On 05/07/2015 09:45 AM, Nurahmadie Nurahmadie wrote:
> Hi
> 
> On Thu, May 7, 2015 at 11:38 AM, Dewangga Bachrul Alam
> <dewanggaba at xtremenitro.org <mailto:dewanggaba at xtremenitro.org>> wrote:
> 
>     Hello!
> 
>     Did anyone have same problem when configuring reverse proxy nginx +
>     apache, when the request came from nginx, the IP didn't shows real
>     visitor.
> 
>     Example access.log:
>     127.0.0.1 - - [07/May/2015:09:27:30 +0700] "GET / HTTP/1.0" 200 61925
>     127.0.0.1 - - [07/May/2015:09:27:35 +0700] "GET / HTTP/1.0" 200 61925
>     127.0.0.1 - - [07/May/2015:09:27:43 +0700] "GET / HTTP/1.0" 200 62367
> 
>     My proxy config:
>     proxy_redirect off;
>     proxy_set_header Host $host;
>     proxy_set_header X-Real-IP $remote_addr;
>     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>     proxy_set_header X-Forwarded-Proto https;
>     client_body_buffer_size 128k;
>     proxy_connect_timeout   90;
>     proxy_send_timeout      90;
>     proxy_read_timeout      90;
>     proxy_buffers           32 4k;
> 
>     In centos6, I got additional packages like mod_rpaf /
>     mod_extract_forwarded. But I didn't find any similiar packages on
>     centos7.
> 
>     Any hints?
> 
> 
> You don't have to use both X-Real-IP and X-Forwarded-For. Just put the
> one which actually used by the app.
> 

I just test using $_SERVER['REMOTE_ADDR']; and its only shows 127.0.0.1.

Anyway, it's should be fine to use them both (CMIIW). But I've tried it
and nothing changes, the visitors ips are not showed on apache logs.

For additional information, I set the apache listen only to
127.0.0.1:8080 and set the proxy pass to http://127.0.0.1:8080;

> And it's safer to also use $remote_addr for X-Forwarded-For rather
> than $proxy_add_x_forwarded_for, since that header can be manipulated by
> the client.
> 
> For the log, check your log format at apache, it probably logging
> remote_addr (or something like that, not sure what they call it at
> apache) rather than the IP specified by X-Forwarded-For or X-Real-IP.
> Change it accordingly.
> 
> 

Didn't know yet, you have any hints? :)



More information about the nginx mailing list