'real_ip_header proxy_protocol' don't change the client address
Maxim Dounin
mdounin at mdounin.ru
Thu Sep 28 13:54:41 UTC 2017
Hello!
On Wed, Sep 27, 2017 at 10:38:45PM -0400, fengx wrote:
> The config is rather simple as following. My test version is 1.7.2, a bit
> old. I can't upgrade to the latest one in our production for now. Anyway I
> think it should work in 1.7.2 because the document says proxy_protocol was
> introduced from 1.5.12.
>
> http {
> log_format combined '$proxy_protocol_addr - $remote_addr - $remote_user
> [$time_local] '
> '"$request" $status $body_bytes_sent '
> '"$http_referer" "$http_user_agent"';
> ...
>
> server {
> server_name www.abc.com;
>
> listen 80;
> listen 8181 proxy_protocol;
>
> real_ip_header proxy_protocol;
> real_ip_recursive on;
> set_real_ip_from 192.168.1.0/24;
>
> location / {
> ...
> }
> }
> }
And how do you test?
Exactly the same config, and even with exctly the same version of
nginx works fine here:
$ telnet localhost 8181
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
PROXY TCP4 10.0.0.1 10.0.0.2 1 2
GET / HTTP/1.0
HTTP/1.1 200 OK
Server: nginx/1.7.2
Date: Thu, 28 Sep 2017 13:48:09 GMT
Content-Type: text/plain
Content-Length: 19
Connection: close
10.0.0.1 127.0.0.1
Connection closed by foreign host.
Where the response body is a result of
return 200 "$proxy_protocol_addr $remote_addr\n";
in location /. Corresponding log line:
10.0.0.1 - 127.0.0.1 - - [28/Sep/2017:16:48:09 +0300] "GET / HTTP/1.0" 200 19 "-" "-"
Note well that this is not a good idea to run nginx 1.7.2 in
production. It is a long obsolete version of the mainline branch,
it is not supported for more than 3 years now, and has known
security issues, see http://nginx.org/en/security_advisories.html.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list