nginx wrong IP when checking connections limit

Question

I have lot of times the following line appearing in the nginx error log. This is causing the 50x error appearing to the visitors of the site. We have a multilanguage site that has URL language.example.com

[error] 25720#0: *2716 limiting connections by zone "slimits", client: 127.0.0.1, server: localhost, request: .......

The client is always appearing as 127.0.0.1 which is quite suspicious.

There is a load balancing in place that is using the localhost and also another server. The upstream nginx config:

upstream example.com {
    server 127.0.0.1:8082 weight=3 max_fails=3 fail_timeout=2;
    server otherserver.example.net:8082 max_fails=3 fail_timeout=2;
}

The slimit value is now set to 40

limit_conn slimits 40;

As far as I know this limit is supposed to be the limit of connections that a REMOTE user should be able to open. I guess that the IP address of the remote user is not passed correctly to the nginx down the line.

And this is the sites definition:

server {
    listen   80 default_server;
    server_name localhost;

    allow   all;
}


server {
    listen   80;
    server_name *.example.com;    
    # stop   subdomains like  everything.example.com
    deny all;
}
server {
    listen   80;
    server_name server.com www.example.com;
    location / {
        proxy_pass   http://example.com;
    }
}
server {
    listen   80;
    server_name fr.example.com;
    location / {
        proxy_pass   http://fr.example.com;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Nginx version is: 1.0.12.

here is the slimts : limit_zone slimits $binary_remote_addr 5m; — dawez, May 23 '13 at 11:11
@cadmi thx that was a really good hint. I set now: real_ip_header X-Forwarded-For; set_real_ip_from 0.0.0.0/0; and it seems that the correct address is passed in the error log [I can now see the IP that is trying to make requests instead that the usual localhost.] — dawez, May 23 '13 at 13:43

score 1 · Answer 1 · edited Apr 13 '17 at 12:14

OP stated in comment that this setting solved the wrong IP problem.

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

However, the set_real_ip_from 0.0.0.0/0 could be troublesome in the future. Basically nginx trust all internet host for given the real IP Address via X-Forwarded-For header, even from spoofed request. For example (credit to this thread):

curl --header "X-Forwarded-For: 1.2.3.4" "http://localhost/"

Above request was generated through curl from localhost, wasn't from nginx load balancer.

For now the spoofing issue was little difficult because the server only sits in 127.0.0.1, but it can be security precautions.

So, we change it so nginx only trust X-Forwarded-For from load balancer IP Address 127.0.0.1

real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.1;

nginx wrong IP when checking connections limit

1 Answers1