Reverse proxy configuration on el7

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Thu May 7 03:49:55 UTC 2015


Hello!

Recently discovered by my self, since apache 2.4.1 or latest, it was
bundled with mod_remoteip. So, we didn't need any additional modules
like mod_rpaf or mod_extract_forwarded.

On 05/07/2015 10:11 AM, Nurahmadie Nurahmadie wrote:
> 
> On Thu, May 7, 2015 at 12:07 PM, Dewangga Bachrul Alam
> <dewanggaba at xtremenitro.org <mailto:dewanggaba at xtremenitro.org>> wrote:
> 
>     Hello!
> 
>     On 05/07/2015 09:45 AM, Nurahmadie Nurahmadie wrote:
>     > Hi
>     >
>     > On Thu, May 7, 2015 at 11:38 AM, Dewangga Bachrul Alam
>     > <dewanggaba at xtremenitro.org <mailto:dewanggaba at xtremenitro.org>
>     <mailto:dewanggaba at xtremenitro.org
>     <mailto:dewanggaba at xtremenitro.org>>> wrote:
>     >
>     >     Hello!
>     >
>     >     Did anyone have same problem when configuring reverse proxy
>     nginx +
>     >     apache, when the request came from nginx, the IP didn't shows real
>     >     visitor.
>     >
>     >     Example access.log:
>     >     127.0.0.1 - - [07/May/2015:09:27:30 +0700] "GET / HTTP/1.0"
>     200 61925
>     >     127.0.0.1 - - [07/May/2015:09:27:35 +0700] "GET / HTTP/1.0"
>     200 61925
>     >     127.0.0.1 - - [07/May/2015:09:27:43 +0700] "GET / HTTP/1.0"
>     200 62367
>     >
>     >     My proxy config:
>     >     proxy_redirect off;
>     >     proxy_set_header Host $host;
>     >     proxy_set_header X-Real-IP $remote_addr;
>     >     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>     >     proxy_set_header X-Forwarded-Proto https;
>     >     client_body_buffer_size 128k;
>     >     proxy_connect_timeout   90;
>     >     proxy_send_timeout      90;
>     >     proxy_read_timeout      90;
>     >     proxy_buffers           32 4k;
>     >
>     >     In centos6, I got additional packages like mod_rpaf /
>     >     mod_extract_forwarded. But I didn't find any similiar packages on
>     >     centos7.
>     >
>     >     Any hints?
>     >
>     >
>     > You don't have to use both X-Real-IP and X-Forwarded-For. Just put the
>     > one which actually used by the app.
>     >
> 
>     I just test using $_SERVER['REMOTE_ADDR']; and its only shows 127.0.0.1.
> 
> 
> The remote_addr will always shows 127.0.0.1 since apache is requested by
> nginx, which also binds on 127.0.0.1, not directly by users. 
> 
> 
>     Anyway, it's should be fine to use them both (CMIIW). But I've tried it
>     and nothing changes, the visitors ips are not showed on apache logs.
> 
>     For additional information, I set the apache listen only to
>     127.0.0.1:8080 <http://127.0.0.1:8080> and set the proxy pass to
>     http://127.0.0.1:8080;
> 
>     > And it's safer to also use $remote_addr for X-Forwarded-For rather
>     > than $proxy_add_x_forwarded_for, since that header can be manipulated by
>     > the client.
>     >
>     > For the log, check your log format at apache, it probably logging
>     > remote_addr (or something like that, not sure what they call it at
>     > apache) rather than the IP specified by X-Forwarded-For or X-Real-IP.
>     > Change it accordingly.
>     >
>     >
> 
>     Didn't know yet, you have any hints? :)
> 
>  
> As I stated before, you want to change your log format to shows ip from
> either X-Forwarded-For or X-Real-IP 
> 
> 
>     _______________________________________________
>     nginx mailing list
>     nginx at nginx.org <mailto:nginx at nginx.org>
>     http://mailman.nginx.org/mailman/listinfo/nginx
> 
> 
> 
> 
> -- 
> regards,
> Nurahmadie
> --
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 



More information about the nginx mailing list