NginX SSL reverse mode, client ip address problem

Rafa_F · December 6, 2015, 7:14am

In NginX reverse mode,

There is a problem that can’t get real client’s Ip address.

If I use Http protocol, I can simply handle this problem with below http
configuration.

http {
server {
listen 80;
location / {
proxy_set_header X-forwarded-for;
proxy_pass http://destAddress;
}
}
}

The problem is in SSL.

I don’t want to use http ssl listen becase of SSL handshaking burden on
NginX.

I decided to use stream codec like below.

stream {
upstream aa34 {
zone first_row 64k;
server google.com fail_timeout=5s;
}
server {
listen 127.0.0.1:8081;
location / {
proxy_pass https://aa34;
}
}
In this case, I think I can’t specify any http related parameters like
‘X-forwarded-for’.
Is there any way to change source ip address of TCP/IP Protocol
header(Ip
Header) to client’s real Ip ?

Thanks.

Posted at Nginx Forum:

WANJUNE · December 6, 2015, 11:18am

Hi WANJUNE.

Am 06-12-2015 07:14, schrieb WANJUNE:

In NginX reverse mode,

There is a problem that can’t get real client’s Ip address.

[snipp]

server {
    listen 127.0.0.1:8081;
    location / {
        proxy_pass https://aa34;
}
}
In this case, I think I can’t specify any http related parameters like
‘X-forwarded-for’.
Is there any way to change source ip address of TCP/IP Protocol
header(Ip
Header) to client’s real Ip ?

How about to use the proxy protocol?
http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt

This option was introduced in 1.9.2

##############
http://nginx.org/en/CHANGES
Changes with nginx 1.9.2 16 Jun
2015

*) Feature: the “proxy_protocol” directive in the stream module.
##############

It’s not yet in the documentation but in the code

http://nginx.org/en/docs/stream/ngx_stream_core_module.html

I would suggest to use the following line

      server <YOUR_SERVER> fail_timeout=5s proxy_protocol;

and on the origin server, in case it is nginx, this.

http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

listen … proxy_protocol …;

If your destiation server is not able to read the proxy protocol then
you only DSR (direct Server Return) is able to show you the client IP.

Cheers Aleks

WANJUNE · December 6, 2015, 12:04pm

Aleks, I’m really thank you for your timely response.
I checked “proxy_protocol on;” option is working fine and watched the L4
machine send proxy protocol header like “PROXY TCP4 [Ip1] [Ip2] [Port1]
[Port2]”.
Really thank you.

Posted at Nginx Forum: