headers
Igor Sysoev | 30 Dec 19:26
Picon

Keep client ip address


> I have the following system:
> - a machine doing NAT that sends all connections of port 9000 (testing
> purposes) to a machine turning nginx 4.14 at 192.168.1.21.
> - This machine sends the requests to 192.168.1.15, a machine running
> apache with mod_python and django.
>
> The forwarding works just great, but I would like the logs of Apache
> to use the client's IP, not 192.168.1.21, in order not to change
> anything for the different sites administrators.
>
> In order to do this, I've this configuration:
>
>    server {
>        listen           80;
>        server_name      www.mysite.com;
>        # vhost specific logs
>        access_log       /var/log/nginx/www.mysite.com.access.log combined;
>
>        #Set the max size for file uploads to 50Mb
>        client_max_body_size  50M;
>
>        location / {
>            proxy_pass   http://192.168.1.15;
>            proxy_redirect          off;
>            proxy_set_header        Host             $host;
>            proxy_set_header        X-Real-IP        $remote_addr;
>            proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
>
>            set_real_ip_from   192.168.1.0/24;
(Continue reading)

Permalink | Reply |
headers
Aleksandar Lazic | 30 Dec 19:40
Picon
Favicon

Re: Keep client ip address

Hi,

On Sam 30.12.2006 21:26, Igor Sysoev wrote:
>
>>I have the following system:
[snipp]
>>Is what i want to do possible? Does my approach make sense?
>
>nginx passes a client address in X-Real-IP or X-Forwarded-For using
>
>            proxy_set_header        X-Real-IP        $remote_addr;
>            proxy_set_header        X-Forwarded-For  
>            $proxy_add_x_forwarded_for;
>
>On Apache side you need to set mod_rpaf ( http://stderr.net/apache/rpaf/ )

or you change %h with %{X-Real-IP}i or with %{X-Forwarded-For}i

http://httpd.apache.org/docs/2.2/mod/mod_log_config.html

>On nginx side you do not need
>
>            set_real_ip_from   192.168.1.0/24;
>            real_ip_header     X-Real-IP;
>
>They do the same thing as mod_rapf for Apache.

I think the realip_module isn't build by default, isn't it?!

If not then don't forget to give --with-http_realip_module option to
(Continue reading)

Permalink | Reply |
headers
Guillermo Fernandez Castellanos | 30 Dec 21:57
Picon

Re: Keep client ip address

Hi,

Thanks Aleksandar and Igor for your answers.

Eventually I've removed all references to real_ip, added those lines:
            proxy_set_header        Host             $host;
            proxy_set_header        X-Real-IP        $remote_addr;
            proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
and defined a new log format for my apache server with %{X-Forwarded-For}i

And it works like a charm.

I don't know if changing the log format is the cleanest solution, but
for my simple setup mod_rpaf is a bit overkill and the log change just
works (kiss).

Concerning the compilation options, I have to admit I've used an
Ubuntu precompiled package at http://deb.wapper.ru/nginx/. Hopefully
nginx will quickly be integrated into Ubuntu, you definitively deserve
it (it's in feisty, a bit far yet...).

I've been surprised by how quickly I got a (correct and helpful)
answer. Again, thanks a lot.

Happy new year,

Guille

On 12/30/06, Aleksandar Lazic <al-nginx@...> wrote:
> Hi,
(Continue reading)

Permalink | Reply |
headers
Aleksandar Lazic | 30 Dec 22:09
Picon
Favicon

Re: Keep client ip address

Hi,

On Sam 30.12.2006 21:57, Guillermo Fernandez Castellanos wrote:
>
>Thanks Aleksandar and Igor for your answers.
>
>Eventually I've removed all references to real_ip, added those lines:
>            proxy_set_header        Host             $host;
>            proxy_set_header        X-Real-IP        $remote_addr;
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I think this line isn't needed if you use X-Forwarded-For ;-)

>   proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;

>and defined a new log format for my apache server with %{X-Forwarded-For}i

This is like a standard for apache behind a proxy ;-)

>I've been surprised by how quickly I got a (correct and helpful)
>answer. Again, thanks a lot.

That was also my first positive suprise, that's one of the reason why I
like nginx ;-)

>Happy new year,

Thanks && also to you ;-)

BR
(Continue reading)

Permalink | Reply |
headers
Igor Sysoev | 30 Dec 22:07
Picon

Re: Keep client ip address

On Sat, 30 Dec 2006, Guillermo Fernandez Castellanos wrote:

> Eventually I've removed all references to real_ip, added those lines:
>           proxy_set_header        Host             $host;
>           proxy_set_header        X-Real-IP        $remote_addr;
>           proxy_set_header        X-Forwarded-For 
> $proxy_add_x_forwarded_for;
> and defined a new log format for my apache server with %{X-Forwarded-For}i
>
> And it works like a charm.
>
> I don't know if changing the log format is the cleanest solution, but
> for my simple setup mod_rpaf is a bit overkill and the log change just
> works (kiss).

The mod_rpaf also set a real client address for several Apache modules such as
mod_status (/server-status), mod_access (Allow/Deny) and logging module.

Igor Sysoev
http://sysoev.ru/en/
Permalink | Reply |
headers
Igor Sysoev | 30 Dec 19:45
Picon

Re: Keep client ip address

On Sat, 30 Dec 2006, Aleksandar Lazic wrote:

> On Sam 30.12.2006 21:26, Igor Sysoev wrote:
>> 
>>> I have the following system:
> [snipp]
>>> Is what i want to do possible? Does my approach make sense?
>> 
>> nginx passes a client address in X-Real-IP or X-Forwarded-For using
>> 
>>            proxy_set_header        X-Real-IP        $remote_addr;
>>            proxy_set_header        X-Forwarded-For 
>> $proxy_add_x_forwarded_for;
>> 
>> On Apache side you need to set mod_rpaf ( http://stderr.net/apache/rpaf/ )
>
> or you change %h with %{X-Real-IP}i or with %{X-Forwarded-For}i
>
> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html
>
>> On nginx side you do not need
>> 
>>            set_real_ip_from   192.168.1.0/24;
>>            real_ip_header     X-Real-IP;
>> 
>> They do the same thing as mod_rapf for Apache.
>
> I think the realip_module isn't build by default, isn't it?!

Yes, it is not build by default.
(Continue reading)

Permalink | Reply |

Gmane