ngx_http_realip_module changes $remote_addr which leads to wrong ips in X-Forwarded-For received by upstream service

[anveshagarwal@…]

I have a webapp under NGinx and another frontal load balancer, something like below (x.x.x.x = IP address):

Client(a.a.a.a) -> LB (b.b.b.b) -> NGX (c.c.c.c) -> WEBAPP (d.d.d.d)

Here is a snippet of my NGinx configuration:

location / {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
real_ip_header X-Forwarded-For;
set_real_ip_from b.b.b.b;
real_ip_recursive on;

}
The load balancer add X-Forwarded-For field with client IP
X-Forwarded-For = a.a.a.a
NGinx search for client real IP in X-Forwarded-For header by omiting LB IP (b.b.b.b) and change $remote_addr from b.b.b.b to a.a.a.a so proxy_set_header X-Real-IP $remote_addr become true (OK that's what I want !)
BUT, NGinx also complete X-Forwarded-For header with a.a.a.a IP instead of b.b.b.b
WEBAPP receive the following headers:
X-Forwarded-For = a.a.a.a, a.a.a.a
X-Real-IP = a.a.a.a
-> X-Forwarded-For should be a.a.a.a, b.b.b.b

So here I am loosing info about my load balancer.

Right now for getting proper ips in my webapp I need to use a workaround of setting X-forwarded-for as:
proxy_set_header X-Forwarded-For "$http_x_forwarded_for, $realip_remote_addr";

What I need is the ability to set first proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for and then search for real IP and replace $remote_addr value. Or maybe another variable similar to $proxy_add_x_forwarded_for which retains the load balancer ip.

[Maxim Dounin]

Thanks for the ticket, this is known and indeed not very convenient behaviour. Previously seen at least ​here.