Nginx the setting method for passing client IP when acting as a reverse proxy

Nginx the setting method for passing client IP when acting as a reverse proxy _nginx

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Nginx default configuration file is not in the log forwarding configuration, this requires our own manual to operate, and then the end of real server different operating methods are not the same, here we give a few examples to illustrate.

Nginx do front-end, forward log to back-end Nginx server:

Because the needs of the architecture of multi-level Nginx reverse proxy, but the backend program to obtain the client IP is front-end Nginx IP, the root of the problem is that the Nginx in the HTTP Header to take client IP when the correct value is not taken.
The same applies to the front-end is Squid or other reverse agent situation.

First front-end Nginx to do forwarding client IP configuration:

Location/{
Proxy_pass http://localhost:8000;
 
# Forward The user ' s IP address to Rails
proxy_set_header x-real-ip $remote _addr;
# needed for HTTPS
# proxy_set_header X_forwarded_proto https;
Proxy_set_header x-forwarded-for $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header Host $host;
Proxy_redirect off;

Back-end Nginx need to install a module: nginxhttprealipmodule, the default does not include this module when compiling, you need to recompile installation nginx,configure add –with-http _realip_module,nginx to support hot swap when upgrading or adding/removing module, you can avoid interruption of service.

After the upgrade configuration Nginxhttprealipmodule,set_real_ip_from refers to the front-end Nginx or Squid IP:

Location/{
Proxy_pass http://localhost:8000;
 
# Forward The user ' s IP address to Rails
proxy_set_header x-real-ip $remote _addr;
# needed for HTTPS
# proxy_set_header X_forwarded_proto https;
Proxy_set_header x-forwarded-for $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header Host $host;
Proxy_redirect off;
# nginxhttprealipmodule
set_real_ip_from 192.168.1.0/24;
Set_real_ip_from 192.168.2.1;
Real_ip_header x-real-ip;
}

Finally remember Reload Nginx config

Nginx do front end, forward log to back-end Apache server:

The Apache log has the default%h to specify your IP address for the visiting client, but use the Nginx proxy to access the%H IP address will not be allowed.
This requires the Nginx and Apache configuration files to be set X-forwarded-for parameters to obtain the client's true IP address. For clients that use a reverse proxy, trace the real IP address.
/usr/nginx/conf/nginx.conf Add the following parameters:

Proxy_set_header Host $host;
Proxy_set_header x-forwarded-for $remote _addr;
Proxy_set_header x-forwarded-host $server _name;
Proxy_set_header X-real-ip $remote _addr;

Modify at the same time:

server {
   listen;
   server_name domain name;
   Proxy_redirect off; 
    Location/{
     Proxy_set_header  x-forwarded-for $remote _addr;
     Proxy_set_header  x-forwarded-host $server _name;
     Proxy_set_header Host $host;
     Proxy_pass http://domain name
   ;
   Access_log off;

Reboot the Nginx to make the configuration effective.

The Apache side needs to install a third party module "MOD_RPAF", official website: http://stderr.net/apache/rpaf/

wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz 
tar zxvf mod_rpaf-0.6.tar.gz 
CD mod_ rpaf-0.6 
/opt/apache/bin/apxs-i-c-n mod_rpaf-2.0.so mod_rpaf-2.0.c

Modify Apache Configuration/usr/apache2/conf/httpd.conf

LoadModule rpaf_module modules/mod_rpaf-2.0.so rpafenable on Rpafsethostname on 
rpafproxy_ips IP address  #Nginx所在服务器的IP
Rpafheader x-forwarded-for

Restart Apache to see the log can be seen in the log has been achieved real IP.

Nginx do front end, forward log to back-end IIS server:

If IIS is placed behind the reverse proxy, the IP in the log is the IP of the reverse proxy server, not the IP of the real user, want to record the user's IP to do two things.

1. In the Reverse proxy Settings x-forwarded-for section, the following is an example of configuration under Nginx:

Server
{
location
{
...
..　　Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
..... }
}

2. Install the following ISAPI filter on the IIS site, which was found at the F5 Development Forum and, as the developer says, to address the problem that IIS cannot record user IP after F5,-_-# Whether the front end is F5 or nginx or squid or haproxy. can be used. It should be good. After the installation, restart the IIS on the finish.
Http://devcentral.f5.com/weblogs/Joe/archive/2009/08/19/x_forwarded_for_log_filter_for_windows_servers.aspx
Looking back at the IIS log, the IP inside is already the user's real IP.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More