ProxyProtocol with SSL client verification failure does not log client's address

Tomoya Kabe limit.usus at
Tue Oct 13 16:13:43 UTC 2020


I placed nginx behind AWS NLB proxyprotocol enabled, and configured to log
the client's "real" IP

    listen 443 ssl proxy_protocol;
    real_ip_header proxy_protocol;
    real_ip_recursive on;

and I need to verify clients certificates,
    ssl_verify_client on;

are written in my config.

With valid clients, i.e. with valid client certificates, the log is as
expected, logged the client's real IP.
However the load balancer's address is logged when the client does not show
the client certificate.

I expect nginx could log the real IP even if the client verification fails,
because ProxyProtocol has nothing to do with client verification.
Is there anything I should check or fix my configuration, or it's a bug of

* I'm using nginx:1.19.3 docker image in AWS Fargate service.
* I enabled/disabled http2 in listen directive and the result was the same.
* I logged $remote_addr and $realip_remote_addr but these are the same
value when client verification fails.

Tomoya KABE
Mail : limit.usus at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list