The X-Forwarded-For Header is a simple so far knock-down solution to a identical common problem. I ‘m not sure why, but for some reason it besides seems to cause a fortune of confusion .
NGINX is often deployed as a cluster behind a layer 7 load halter ( Reverse Proxy ). Being a proxy implementation, Layer 7 offers a wholly master of ceremonies of options such as ACLs, cagey perseverance methods, the ability to add/remove/modify HTTP headers, and sol on .

So what’s the problem?

A reversion proxy is NOT source IP address guileless .
This is a pain when you need the customer beginning IP address to be correct in the logs of the backend servers.

I can think of a couple of solutions to this problem :

  1. Implement a fully transparent two-arm reverse proxy using TPROXY (yuk!).
  2. Configure the load balancer to add an X-Forwarded-For Header with the source IP of the client.
  3. Use Layer 4 instead (although I guess you’ve already ruled that out?)

personally, I think that by far the easiest choice when load balancing a website/web application is to use the X-Forwarded-For Header .
With, when you create a Layer 7 HTTP modality VIP shape, the X-Forwarded-For Header is enabled by default. All you need to do is slighty modify the logging directing in the web server shape ( to tell it to use the header ) .

What about other reverse proxies?

NGINX can besides be used as the load halter of path :

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Or you can use HAProxy ( our preference ) :

      option forwardfor

How do you configure NGINX to use the X-Forwarded-For Header?

With NGINX, there are two ways the serve can be modified to use the X-Forwarded-For Header. Which method you might use depends whether the NGINX binary star was compiled with the option --with-http_realip_module. You can check if the module was included by running the succeed command : nginx -V and reviewing the output signal .

Option 1 – Altering the log directive format

This option can be implemented whether or not the --with-http_realip_module was specified at compilation, and modifies the format for the access_log directing to include the X-Forwarded-For Header contents.

In the configuration file /etc/nginx/nginx.conf you will need to change the entries :

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

To show the X-Forwarded-For Header contents first in the log production line entries :

    log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '

    access_log  /var/log/nginx/access.log  main;

After making this change, the NGINX service will need restarting in the usual manner.
systemctl restart nginx

Option 2 – Using the ‘real_ip’ module

Assuming that NGINX has been compiled with the --with-http_realip_module choice, the httpd or waiter stanza in the /etc/nginx/nginx.conf file needs to be modified with the set_real_ip_from and real_ip_header directives :

    # Directives for setting real_ip/XFF IP address in log files
    set_real_ip_from; #IP address of master LB
    set_real_ip_from; #IP Address of slave LB
    real_ip_header      X-Forwarded-For;

The real information science faculty is used to change node generator IP address ( and optionally, the port besides ) to the value stored in the stipulate header. The rationality I have set the set_real_ip_from directive twice is that I was running an HA clustered pair of appliances and this covers the base IP addresses from each node .
After making this change, the NGINX service will need restarting in the usual manner.
systemctl restart nginx
After completing the changes detailed in either option, the access log on the substantial servers should now show the X-Forwarded-For Header contents.

If you experience any issues when configuring this or have any questions, contact our documentation engineers support @ and we ‘ll do everything we can to assist .

Evolving Approaches to Load Balancing

Application Delivery in Uncertain Times

Download Free Ebook

informant :
Category : Website hosting

Leave a Reply

Your email address will not be published.