Opened 10 years ago

Closed 10 years ago

#671 closed defect (invalid)

X-Forwarded-For problem when using HTTPS

Reported by: Wagner Caixeta Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.6.x
Keywords: X-Forwared-For, X-Real-IP, HTTPS, SSL, Cc: wagner.caixeta@…
uname -a: Linux webserver 2.6.18-274.18.1.el5 #1 SMP Thu Feb 9 12:45:44 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-54)
TLS SNI support disabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

I m using nginx as reverse proxy for some rails apps (unicorn).

Im stuck with how to keep X-Forwared-For pass over nginx when im using HTTPS.

It is ok with HTTP, but when i use HTTPS the original X-Forwared-For information is gone.

What arrives in my Rails APP?

172.16.6.234 = Desktop IP.
172.16.6.12 = A SQUID proxy.

USING HTTP:

"HTTP_X_FORWARDED_FOR"=>"172.16.6.234, 172.16.0.12"

USING HTTPS:

"HTTP_X_FORWARDED_FOR"=>"172.16.0.12"

Same directives for 443 and 80 ports, but SSL on.

I also tried to use:

set_real_ip_from  172.16.0.12;
set_real_ip_from  127.0.0.1/8;
set_real_ip_from  unix:;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

I stil having problems, but with a diferent result:

USING HTTP:

"HTTP_VIA"=>"1.1 spider06.assembleia.go.gov.br:3128 (squid/2.6.STABLE21)"
"HTTP_X_FORWARDED_FOR"=>"172.16.6.234"

USING HTTPS:

HTTP_X_FORWARDED_FOR and HTTP_VIA are missing.

I guess it is a unespected behaivor, so im opening this ticket.

Tested on: 0.88, 1.6.2 and 1.7.7.

Config file:

upstream app_sgp {
    server unix:/var/www/html/sgp/tmp/sockets/unicorn.sock fail_timeout=0;
}
server {
        listen 80 default deferred;
        server_name 172.16.0.26;

        root /var/www/html/error/;

        location ^~ /assets/ {
                gzip_static on;
                expires max;
                add_header Cache-Control public;
        }

        try_files $uri/index.html $uri $uri.html;

        error_page 500 502 503 504 /500.html;
        client_max_body_size 4G;
        keepalive_timeout 10;

	location /sgp/ {
		proxy_read_timeout 300;
		proxy_connect_timeout 300;
		proxy_set_header X-Real-IP	$remote_addr;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Proto $scheme;
                proxy_set_header  Host $http_host;
                proxy_redirect    off;
		proxy_pass http://app_sgp;
   	}

	location = /500.html {
    		root /var/www/html/error/;
	}

}

server {
	listen 443;
	ssl on;
	server_name 172.16.0.26;

	ssl_certificate      /etc/nginx/ssl/intranet.crt;
	ssl_certificate_key  /etc/nginx/ssl/intranet.key;
	ssl_protocols  SSLv2 SSLv3 TLSv1;
	ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
	ssl_prefer_server_ciphers   on;

	location ^~ /assets/ {
                gzip_static on;
                expires max;
                add_header Cache-Control public;
	}


	root /var/www/html/error/;
	try_files $uri/index.html $uri.html $uri;

	location /sgp/ {
		proxy_read_timeout 300;
		proxy_connect_timeout 300;
		proxy_set_header X-Real-IP	$remote_addr;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Proto $scheme;
                proxy_set_header  Host $http_host;
                proxy_redirect    off;
		proxy_pass http://app_sgp;
   	}



	location = /500.html {
    		root /var/www/html/error/;
	}
}

Change History (4)

comment:1 by Wagner Caixeta, 10 years ago

127.0.0.1/8 --> 127.0.0.0/8;

comment:2 by Wagner Caixeta, 10 years ago

This ticket can be closed.
After i had got the same behavior with lighthttpd i notice that it is not a problem with nginx.

the fact is:

X-Forwared-For is not coming inside HTTPS trafic, because it is not possible, this explain why it works only when i use HTTP.

Version 0, edited 10 years ago by Wagner Caixeta (next)

comment:3 by Ruslan Ermilov, 10 years ago

Just a note that to keep the original X-Forwarded-For proxied to your app, you don't have to do anything in nginx.

comment:4 by Ruslan Ermilov, 10 years ago

Resolution: invalid
Status: newclosed
Note: See TracTickets for help on using tickets.