3

On an nginx-enabled website I maintain, some visitors are behind a certain forward proxy. Since requests pass through the proxy's servers, the HTTP Request IP address in these cases is always from proxy servers instead of from the original requestor.

However, the proxy ensures including the original requestor IP in a separate HTTP header field called X-IORG-FBS-UIP. It can also be found in X-FORWARDED-FOR.

In nginx access logs, I notice the proxy IP is what shows up for all these users, not the real IP. How can I configure nginx such that the original requestor IP is logged by nginx, and not the proxy one? An illustrative example would be great; thanks in advance!

p.s. my nginx is v 1.4.6

Hassan Baig
  • 2,033
  • 11
  • 27
  • 47

1 Answers1

4

This is done using set_real_ip_from to update the $remote_addr variable based on a custom header. For example, /etc/nginx/conf.d/proxies_acl.conf can be created as follows, to set the client IP variable based on the X-IORG-FBS-UIP header for requests proxied by 1.2.3.0/22 and 23.22.20.0/22:

set_real_ip_from 1.2.3.0/22;
set_real_ip_from 23.22.20.0/22;
real_ip_header X-IORG-FBS-UIP;
Andrei
  • 125
  • 1
  • 7
  • Thanks for the tip Andrei. Clarification: I haven't used `/conf.d` for configuration before (it's empty), but I'm guessing I just need to create the said `acl.conf` file there, then do `nginx -t` to ensure the config works, and then just do `nginx reload`. Correct? Or am I missing something? – Hassan Baig Feb 19 '17 at 20:04
  • Moreover, I hope this won't disrupt the IP of those users who're not behind the forward proxy? And one lasts one: in `proxy_params`, I've included the line `proxy_set_header X-Real-IP $remote_addr;` – Hassan Baig Feb 19 '17 at 20:10
  • You should be all set! The custom IP header will only be used for the defined ACL ranges. – Andrei Feb 20 '17 at 14:19
  • I marked and upvoted since it was a complete answer. But if you could add more explanation, please do. I'm new to this and cant wrap my head around why you chose `1.2.3.0/22` and `23.22.20.0/22`? – Hassan Baig Mar 24 '17 at 11:41
  • 1
    1.2.3.0/22 and 23.22.20.0/22 are just example IP ranges. You would replace those with your trusted IP ranges for requests which have X-IORG-FBS-UIP set – Andrei Mar 25 '17 at 17:58