Opened 9 years ago
Closed 9 years ago
#671 closed defect (invalid)
X-Forwarded-For problem when using HTTPS
| Reported by: | Wagner Caixeta | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.6.x |
| Keywords: | X-Forwared-For, X-Real-IP, HTTPS, SSL, | Cc: | wagner.caixeta@… |
| uname -a: | Linux webserver 2.6.18-274.18.1.el5 #1 SMP Thu Feb 9 12:45:44 EST 2012 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.6.2
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-54) TLS SNI support disabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' |
||
Description
I m using nginx as reverse proxy for some rails apps (unicorn).
Im stuck with how to keep X-Forwared-For pass over nginx when im using HTTPS.
It is ok with HTTP, but when i use HTTPS the original X-Forwared-For information is gone.
What arrives in my Rails APP?
172.16.6.234 = Desktop IP.
172.16.6.12 = A SQUID proxy.
USING HTTP:
"HTTP_X_FORWARDED_FOR"=>"172.16.6.234, 172.16.0.12"
USING HTTPS:
"HTTP_X_FORWARDED_FOR"=>"172.16.0.12"
Same directives for 443 and 80 ports, but SSL on.
I also tried to use:
set_real_ip_from 172.16.0.12; set_real_ip_from 127.0.0.1/8; set_real_ip_from unix:; real_ip_header X-Forwarded-For; real_ip_recursive on;
I stil having problems, but with a diferent result:
USING HTTP:
"HTTP_VIA"=>"1.1 spider06.assembleia.go.gov.br:3128 (squid/2.6.STABLE21)" "HTTP_X_FORWARDED_FOR"=>"172.16.6.234"
USING HTTPS:
HTTP_X_FORWARDED_FOR and HTTP_VIA are missing.
I guess it is a unespected behaivor, so im opening this ticket.
Tested on: 0.88, 1.6.2 and 1.7.7.
Config file:
upstream app_sgp {
server unix:/var/www/html/sgp/tmp/sockets/unicorn.sock fail_timeout=0;
}
server {
listen 80 default deferred;
server_name 172.16.0.26;
root /var/www/html/error/;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri $uri.html;
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
location /sgp/ {
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_sgp;
}
location = /500.html {
root /var/www/html/error/;
}
}
server {
listen 443;
ssl on;
server_name 172.16.0.26;
ssl_certificate /etc/nginx/ssl/intranet.crt;
ssl_certificate_key /etc/nginx/ssl/intranet.key;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
root /var/www/html/error/;
try_files $uri/index.html $uri.html $uri;
location /sgp/ {
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_sgp;
}
location = /500.html {
root /var/www/html/error/;
}
}
Change History (4)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
This ticket can be closed.
After i had get the same behavior with lighthttpd i realized that it is not a problem with nginx.
the fact is:
X-Forwared-For is not coming inside HTTPS trafic, because it is not possible, this explain why it works only when i use HTTP.
comment:3 by , 9 years ago
Just a note that to keep the original X-Forwarded-For proxied to your app, you don't have to do anything in nginx.
comment:4 by , 9 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
127.0.0.1/8 --> 127.0.0.0/8;