Opened 10 years ago
Closed 10 years ago
#671 closed defect (invalid)
X-Forwarded-For problem when using HTTPS
Reported by: | Wagner Caixeta | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.6.x |
Keywords: | X-Forwared-For, X-Real-IP, HTTPS, SSL, | Cc: | wagner.caixeta@… |
uname -a: | Linux webserver 2.6.18-274.18.1.el5 #1 SMP Thu Feb 9 12:45:44 EST 2012 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.6.2
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-54) TLS SNI support disabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' |
Description
I m using nginx as reverse proxy for some rails apps (unicorn).
Im stuck with how to keep X-Forwared-For pass over nginx when im using HTTPS.
It is ok with HTTP, but when i use HTTPS the original X-Forwared-For information is gone.
What arrives in my Rails APP?
172.16.6.234 = Desktop IP.
172.16.6.12 = A SQUID proxy.
USING HTTP:
"HTTP_X_FORWARDED_FOR"=>"172.16.6.234, 172.16.0.12"
USING HTTPS:
"HTTP_X_FORWARDED_FOR"=>"172.16.0.12"
Same directives for 443 and 80 ports, but SSL on.
I also tried to use:
set_real_ip_from 172.16.0.12; set_real_ip_from 127.0.0.1/8; set_real_ip_from unix:; real_ip_header X-Forwarded-For; real_ip_recursive on;
I stil having problems, but with a diferent result:
USING HTTP:
"HTTP_VIA"=>"1.1 spider06.assembleia.go.gov.br:3128 (squid/2.6.STABLE21)" "HTTP_X_FORWARDED_FOR"=>"172.16.6.234"
USING HTTPS:
HTTP_X_FORWARDED_FOR and HTTP_VIA are missing.
I guess it is a unespected behaivor, so im opening this ticket.
Tested on: 0.88, 1.6.2 and 1.7.7.
Config file:
upstream app_sgp { server unix:/var/www/html/sgp/tmp/sockets/unicorn.sock fail_timeout=0; } server { listen 80 default deferred; server_name 172.16.0.26; root /var/www/html/error/; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } try_files $uri/index.html $uri $uri.html; error_page 500 502 503 504 /500.html; client_max_body_size 4G; keepalive_timeout 10; location /sgp/ { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://app_sgp; } location = /500.html { root /var/www/html/error/; } } server { listen 443; ssl on; server_name 172.16.0.26; ssl_certificate /etc/nginx/ssl/intranet.crt; ssl_certificate_key /etc/nginx/ssl/intranet.key; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } root /var/www/html/error/; try_files $uri/index.html $uri.html $uri; location /sgp/ { proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://app_sgp; } location = /500.html { root /var/www/html/error/; } }
Change History (4)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
This ticket can be closed.
After i had get the same behavior with lighthttpd i notice that it is not a problem with nginx.
the fact is:
X-Forwared-For is not coming inside HTTPS trafic, because it is not possible, this explain why it works only when i use HTTP.
comment:3 by , 10 years ago
Just a note that to keep the original X-Forwarded-For proxied to your app, you don't have to do anything in nginx.
comment:4 by , 10 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
127.0.0.1/8 --> 127.0.0.0/8;