Reverse proxy configuration on el7

Nurahmadie Nurahmadie nurahmadie at gmail.com
Thu May 7 03:11:34 UTC 2015


On Thu, May 7, 2015 at 12:07 PM, Dewangga Bachrul Alam <
dewanggaba at xtremenitro.org> wrote:

> Hello!
>
> On 05/07/2015 09:45 AM, Nurahmadie Nurahmadie wrote:
> > Hi
> >
> > On Thu, May 7, 2015 at 11:38 AM, Dewangga Bachrul Alam
> > <dewanggaba at xtremenitro.org <mailto:dewanggaba at xtremenitro.org>> wrote:
> >
> >     Hello!
> >
> >     Did anyone have same problem when configuring reverse proxy nginx +
> >     apache, when the request came from nginx, the IP didn't shows real
> >     visitor.
> >
> >     Example access.log:
> >     127.0.0.1 - - [07/May/2015:09:27:30 +0700] "GET / HTTP/1.0" 200 61925
> >     127.0.0.1 - - [07/May/2015:09:27:35 +0700] "GET / HTTP/1.0" 200 61925
> >     127.0.0.1 - - [07/May/2015:09:27:43 +0700] "GET / HTTP/1.0" 200 62367
> >
> >     My proxy config:
> >     proxy_redirect off;
> >     proxy_set_header Host $host;
> >     proxy_set_header X-Real-IP $remote_addr;
> >     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >     proxy_set_header X-Forwarded-Proto https;
> >     client_body_buffer_size 128k;
> >     proxy_connect_timeout   90;
> >     proxy_send_timeout      90;
> >     proxy_read_timeout      90;
> >     proxy_buffers           32 4k;
> >
> >     In centos6, I got additional packages like mod_rpaf /
> >     mod_extract_forwarded. But I didn't find any similiar packages on
> >     centos7.
> >
> >     Any hints?
> >
> >
> > You don't have to use both X-Real-IP and X-Forwarded-For. Just put the
> > one which actually used by the app.
> >
>
> I just test using $_SERVER['REMOTE_ADDR']; and its only shows 127.0.0.1.
>

The remote_addr will always shows 127.0.0.1 since apache is requested by
nginx, which also binds on 127.0.0.1, not directly by users.
>
>
> Anyway, it's should be fine to use them both (CMIIW). But I've tried it
> and nothing changes, the visitors ips are not showed on apache logs.
>
> For additional information, I set the apache listen only to
> 127.0.0.1:8080 and set the proxy pass to http://127.0.0.1:8080;
>
> > And it's safer to also use $remote_addr for X-Forwarded-For rather
> > than $proxy_add_x_forwarded_for, since that header can be manipulated by
> > the client.
> >
> > For the log, check your log format at apache, it probably logging
> > remote_addr (or something like that, not sure what they call it at
> > apache) rather than the IP specified by X-Forwarded-For or X-Real-IP.
> > Change it accordingly.
> >
> >
>
> Didn't know yet, you have any hints? :)
>

As I stated before, you want to change your log format to shows ip from
either X-Forwarded-For or X-Real-IP

>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



-- 
regards,
Nurahmadie
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150507/ee06f74d/attachment.html>


More information about the nginx mailing list