5

I'm reverse proxying with nginx behind Google Cloud (HTTPS) Load Balancer, so I add the X-Forwarded-For header so that the backend can extract the client (browser) IP.

This morning I noticed a 10.x.x.x IP in the logs, how is this possible?

Rhangaun
  • 179
  • 1
  • 15

2 Answers2

7

How your logging interprets the header containing multiple IP addresses? If it takes the first IP address instead of the correct one, this may well be address added by someones forward proxy instead of your reverse proxy.

The header and its contents are documented in GCP Setting Up HTTP(S) Load Balancing article:

X-Forwarded-For: <unverified IP(s)>, <immediate client IP>, <global forwarding rule external IP>, <proxies running in GCP> (requests only)

A comma-separated list of IP addresses appended by the intermediaries the request traveled through. If you are running proxies inside GCP that append data to the X-Forwarded-For header, then your software must take into account the existence and number of those proxies. Only the <immediate client IP> and <global forwarding rule external IP> entries are provided by the load balancer. All other entries in the list are passed along without verification.

Just adjust your logging accordingly.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Ok I should have read this doc more carefully ;) Only guaranteed way to get the right one seems to be to find the global external IP and extract the one before. – Rhangaun Apr 20 '18 at 16:12
  • Correct! Just remember that the position seems fixed from the end, as the `` might be multiple. – Esa Jokinen Apr 20 '18 at 16:30
  • In general, you should not trust (and should probably ignore/remove) any `X-Forward-For` headers inserted by a proxy you don't control and trust. – Barmar Apr 24 '18 at 18:58
  • 2
    It's also usually a good idea to have the load balancer or reverse proxy send a completely separate header containing the actual client IP address you are interested in. On GCP, a [user defined request header](https://cloud.google.com/load-balancing/docs/backend-service#user-defined-request-headers) can do this. – Michael Hampton Oct 03 '18 at 16:00
0

I am using the google cloud load balancer and google cloud DNS and nginx as reverse proxy. and using below nginx configuration.

set_real_ip_from 10.48.0.0/14;
set_real_ip_from 10.128.0.0/9;
set_real_ip_from 10.114.44.0/22;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

it works cloudfare dns but not with google cloud dns and AWS route 53,facing the issue since 1 month. i have also used real_ip_header CF-Connecting-IP; but still not fetching client IP ,I always see the local ips of gcp instances in the nginx logs,is there any issue with DNS please let me know how to resolve this issue.