My firewall is working ok: the connection from internet is forwarded to a NGINX server, which then distribute accordingly and application server works correctly except for the internal LOGs.
The issue I'm facing is regarding the IP being received by our application server: they are not the "client IP", instead, they are currently the NGINX IP.
Consider this network: client IP 1, firewall IP 2, NGINX IP 3, webserver IP 4.
At firewall we see the packets being forwarded to the NGINX, but at NGINX with tcpdump
we see incoming connections from own NGINX IP 3 instead of original source IP 1.
The point is that at webserver LOGs we see our input connections as IP 3, expected is IP 1.
Is it a misconfiguration with firewall or NGINX? Any ideas on how to solve this?
Current config (/etc/nginx/sites-enabled/app.domain.com
):
...
location ^~ / {
proxy_pass http://10.0.0.11;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
...
답변1
This is normal operation. When nginx is a reverse proxy, it opens a connection to the final destination and proxies from the client to the application server. The source IP cannot be anything else than nginx IP address, otherwise the TCP connection would not work.
You need to set up the application server to use the IP address specified in X-Real-IP
header instead of the IP address from the TCP connection.
답변2
Solution for this case was to change c# code as below. No firewall or nginx changes made.
var userIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
Previous unsuccessful attempts:
var userIP = Request.ServerVariables["X_FORWARDED_FOR"];
var userIP = Request.ServerVariables["X-REAL-IP"];
var userIP = Request.ServerVariables["REMOTE_ADDR"];
var userIP = Request.UserHostAddress;
Thanks for all contributors to help clarify that the issue was not at firewall nor at nginx config.