ProxyProtocol with SSL client verification failure does not log client's address
limit.usus at gmail.com
Tue Oct 13 16:13:43 UTC 2020
I placed nginx behind AWS NLB proxyprotocol enabled, and configured to log
the client's "real" IP
listen 443 ssl proxy_protocol;
and I need to verify clients certificates,
are written in my config.
With valid clients, i.e. with valid client certificates, the log is as
expected, logged the client's real IP.
However the load balancer's address is logged when the client does not show
the client certificate.
I expect nginx could log the real IP even if the client verification fails,
because ProxyProtocol has nothing to do with client verification.
Is there anything I should check or fix my configuration, or it's a bug of
* I'm using nginx:1.19.3 docker image in AWS Fargate service.
* I enabled/disabled http2 in listen directive and the result was the same.
* I logged $remote_addr and $realip_remote_addr but these are the same
value when client verification fails.
Mail : limit.usus at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx