Reverse proxy configuration on el7
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Thu May 7 03:49:55 UTC 2015
Hello!
Recently discovered by my self, since apache 2.4.1 or latest, it was
bundled with mod_remoteip. So, we didn't need any additional modules
like mod_rpaf or mod_extract_forwarded.
On 05/07/2015 10:11 AM, Nurahmadie Nurahmadie wrote:
>
> On Thu, May 7, 2015 at 12:07 PM, Dewangga Bachrul Alam
> <dewanggaba at xtremenitro.org <mailto:dewanggaba at xtremenitro.org>> wrote:
>
> Hello!
>
> On 05/07/2015 09:45 AM, Nurahmadie Nurahmadie wrote:
> > Hi
> >
> > On Thu, May 7, 2015 at 11:38 AM, Dewangga Bachrul Alam
> > <dewanggaba at xtremenitro.org <mailto:dewanggaba at xtremenitro.org>
> <mailto:dewanggaba at xtremenitro.org
> <mailto:dewanggaba at xtremenitro.org>>> wrote:
> >
> > Hello!
> >
> > Did anyone have same problem when configuring reverse proxy
> nginx +
> > apache, when the request came from nginx, the IP didn't shows real
> > visitor.
> >
> > Example access.log:
> > 127.0.0.1 - - [07/May/2015:09:27:30 +0700] "GET / HTTP/1.0"
> 200 61925
> > 127.0.0.1 - - [07/May/2015:09:27:35 +0700] "GET / HTTP/1.0"
> 200 61925
> > 127.0.0.1 - - [07/May/2015:09:27:43 +0700] "GET / HTTP/1.0"
> 200 62367
> >
> > My proxy config:
> > proxy_redirect off;
> > proxy_set_header Host $host;
> > proxy_set_header X-Real-IP $remote_addr;
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header X-Forwarded-Proto https;
> > client_body_buffer_size 128k;
> > proxy_connect_timeout 90;
> > proxy_send_timeout 90;
> > proxy_read_timeout 90;
> > proxy_buffers 32 4k;
> >
> > In centos6, I got additional packages like mod_rpaf /
> > mod_extract_forwarded. But I didn't find any similiar packages on
> > centos7.
> >
> > Any hints?
> >
> >
> > You don't have to use both X-Real-IP and X-Forwarded-For. Just put the
> > one which actually used by the app.
> >
>
> I just test using $_SERVER['REMOTE_ADDR']; and its only shows 127.0.0.1.
>
>
> The remote_addr will always shows 127.0.0.1 since apache is requested by
> nginx, which also binds on 127.0.0.1, not directly by users.
>
>
> Anyway, it's should be fine to use them both (CMIIW). But I've tried it
> and nothing changes, the visitors ips are not showed on apache logs.
>
> For additional information, I set the apache listen only to
> 127.0.0.1:8080 <http://127.0.0.1:8080> and set the proxy pass to
> http://127.0.0.1:8080;
>
> > And it's safer to also use $remote_addr for X-Forwarded-For rather
> > than $proxy_add_x_forwarded_for, since that header can be manipulated by
> > the client.
> >
> > For the log, check your log format at apache, it probably logging
> > remote_addr (or something like that, not sure what they call it at
> > apache) rather than the IP specified by X-Forwarded-For or X-Real-IP.
> > Change it accordingly.
> >
> >
>
> Didn't know yet, you have any hints? :)
>
>
> As I stated before, you want to change your log format to shows ip from
> either X-Forwarded-For or X-Real-IP
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org <mailto:nginx at nginx.org>
> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
>
>
> --
> regards,
> Nurahmadie
> --
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
More information about the nginx
mailing list