Proxy requests that return a 403 error - issue with sending headers

Francis Daly francis at
Fri Mar 16 08:24:05 UTC 2018

On Thu, Mar 15, 2018 at 08:04:13PM +0000, Friscia, Michael wrote:

Hi there,

> I have a block in my global settings that offers these header additions.

> proxy_set_header X-Origin-Forwarded-For $remote_addr;

> But what seems to be happening is that for any normal request, the client IP address is being passed to the web app but when I make the request for a page that returns the 403 error because of the IP restriction, none of the headers above are being applied to the request. So the web app is never getting passed my custom headers.

If I'm reading this right, you report that one request from the client
to nginx is proxy_pass'ed to another server with the "proxy_set_header
X-Origin-Forwarded-For" having the desired value; while another request
from the client to nginx is proxy_pass'ed to the other server without the
"proxy_set_header X-Origin-Forwarded-For" having the desired value.

If that is the case: are the two requests to nginx handled in the same
location{} in nginx?

Are you aware of directive inheritance in nginx? Briefly, it is either
"none" or "replacement", and never "addition".

> My question is if there is some sort of setting I am missing and I ask that making an assumption that the problem is that Nginx is making a request without sending headers, getting the 403 error and then all processing stops and I just get an access denied page.

tcpdump or the equivalent, (or nginx logs, or next-server logs), can show
what actual headers and values are sent from nginx to the next server.

The server returning the 403 should have logs saying why it is returning

With that information, you should be able to remove most guesswork.

> Any thoughts on how to handle this problem would be appreciated.

If it's not clear from the above steps, show your nginx config, and give
one example request that does do what you want it to and one that does
not do what you want it to.

Francis Daly        francis at

More information about the nginx mailing list