Hello,
In order to do so you must enable the ngx_http_realip_module when compiling. See http://nginx.org/en/docs/http/ngx_http_realip_module.html
The following is a snippet from a working configuration. This is the front end nginx which passes to a backend nginx running in a jail and listening on 8000:
location / {
proxy_pass http://10.0.2.7:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
....
}
The backend runs nginx proxying to an Apache/php5.6 backend listening on 8080 using mod_rpaf2:
http {
...
set_real_ip_from 10.0.2.0/30;
...
server {
....
location ~ \.php$ {
proxy_pass http://10.0.2.7:8080;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
}
....
}
}
The reason for this setup is this is an old script which needs to be jailed for security reasons. The jailed nginx instance serves static content back to the front end nginx instance which stores them using proxy_cache if appropriate, and Apache serves PHP and gets the correct remote address. You can prove that by using $http_x_real_ip in your log_format directive. Otherwise, it would read all requests as coming from the internal IP.
In order to do so you must enable the ngx_http_realip_module when compiling. See http://nginx.org/en/docs/http/ngx_http_realip_module.html
The following is a snippet from a working configuration. This is the front end nginx which passes to a backend nginx running in a jail and listening on 8000:
location / {
proxy_pass http://10.0.2.7:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
....
}
The backend runs nginx proxying to an Apache/php5.6 backend listening on 8080 using mod_rpaf2:
http {
...
set_real_ip_from 10.0.2.0/30;
...
server {
....
location ~ \.php$ {
proxy_pass http://10.0.2.7:8080;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $http_x_real_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
}
....
}
}
The reason for this setup is this is an old script which needs to be jailed for security reasons. The jailed nginx instance serves static content back to the front end nginx instance which stores them using proxy_cache if appropriate, and Apache serves PHP and gets the correct remote address. You can prove that by using $http_x_real_ip in your log_format directive. Otherwise, it would read all requests as coming from the internal IP.