set_real_ip_from,real_ip_header directive in ngx_http_realip_module

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

set_real_ip_from,real_ip_header directive in ngx_http_realip_module

Nishikubo Minoru
Hello,
I tried to limit an IPv4 Address with ngx_http_limit_req module and
ngx_realip_module via Akamai would send True-Client-IP headers.

According to the document ngx_http_readip_module(http://nginx.org/en/docs/http/ngx_http_realip_module.html),
we can write set_real_ip_from and real-_ip_header directive in http,
server, location context.

But, in the above case(ngx_http_limit_req module is defined the key in http context), directives on ngx_http_realip_module must be defined before the keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed limit_req_zone directive in http context.

I think it better that the document explained ngx_http_realip_module directive is configured before ngx_http_limit_req module configuration.

Our environment is Amazon Linux on AWS EC2 package and nginx version was
1.10.1.

If you already plan to improve the documentation and you know, please let me know and I will check it out.

Thanks.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Maxim Dounin
Hello!

On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:

> Hello,
> I tried to limit an IPv4 Address with ngx_http_limit_req module and
> ngx_realip_module via Akamai would send True-Client-IP headers.
>
> According to the document ngx_http_readip_module(
> http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> we can write set_real_ip_from and real-_ip_header directive in http,
> server, location context.
>
> But, in the above case(ngx_http_limit_req module is defined the key in http
> context), directives on ngx_http_realip_module must be defined before the
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> limit_req_zone directive in http context.

Not really.  There is no such requirement, that is, there is need
to place limit_req_zone and set_real_ip_from on the same level or
even in a particular order.

For example, the following configuration will work perfectly:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;
               
    server {
        listen 80;
               
        location / {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
        }
   }

A problem may happen though if you configured the realip module in
a location context, but use the address in different contexts.  
For example, the following will limit requests based on the
connection's address, not the one set with realip:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            try_files $uri @fallback;
        }

        location @fallback {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
            proxy_pass ...
        }
    }

In the above configuration, limit_req will work at the "location /"
context, and the realip module in "location @fallback" won't be
effective.  For more confusion, the $remote_addr variable will be
cached once used by limit_req, and attempts to use it even in the
location @fallback will return the original value, not changed by
the realip module.

Summing up the above, it is certainly possible to use the realip
module with limit_req regardless of levels.  They may interact
unexpectedly in complex configurations though, and hence it is
a good idea to avoid using set_real_ip_from / real_ip_header in
location context unless you understand what you are doing.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Nishikubo Minoru
Hello, Maxim

I understand your explanation and thanks for reply.

I tried to replace $binary_remote_addr (not $remote_addr for performance reason) with True-Client-IP header which is Akamai CDN Server will send, via ngx_http_limit_req_module and use as a shared memory zone key. 


On Tue, Feb 28, 2017 at 10:40 PM, Maxim Dounin <[hidden email]> wrote:
Hello!

On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:

> Hello,
> I tried to limit an IPv4 Address with ngx_http_limit_req module and
> ngx_realip_module via Akamai would send True-Client-IP headers.
>
> According to the document ngx_http_readip_module(
> http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> we can write set_real_ip_from and real-_ip_header directive in http,
> server, location context.
>
> But, in the above case(ngx_http_limit_req module is defined the key in http
> context), directives on ngx_http_realip_module must be defined before the
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> limit_req_zone directive in http context.

Not really.  There is no such requirement, that is, there is need
to place limit_req_zone and set_real_ip_from on the same level or
even in a particular order.

For example, the following configuration will work perfectly:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
        }
   }

A problem may happen though if you configured the realip module in
a location context, but use the address in different contexts.
For example, the following will limit requests based on the
connection's address, not the one set with realip:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            try_files $uri @fallback;
        }

        location @fallback {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
            proxy_pass ...
        }
    }

In the above configuration, limit_req will work at the "location /"
context, and the realip module in "location @fallback" won't be
effective.  For more confusion, the $remote_addr variable will be
cached once used by limit_req, and attempts to use it even in the
location @fallback will return the original value, not changed by
the realip module.

Summing up the above, it is certainly possible to use the realip
module with limit_req regardless of levels.  They may interact
unexpectedly in complex configurations though, and hence it is
a good idea to avoid using set_real_ip_from / real_ip_header in
location context unless you understand what you are doing.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

S.A.N
In reply to this post by Nishikubo Minoru
Dear Nishikubo,

Have got resolution. In-fact we are facing similar issue while integrated
through Akamai.

You help is appreciable!

Thanks
Mohit M

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272653,273134#msg-273134

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

S.A.N
In reply to this post by Maxim Dounin
if nginx is behind another proxy, that proxy set the X-Forwarded-for header
with the real client ip, and the configration of nginx is :

location / {
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
real_ip_header    X-Forwarded-For;
set_real_ip_from 192.168.0.0/16;
}

whether the real client ip or the address of the proxy will add in the
X-Forwarded-For header?
will the value of $remote_addr changes only after real_ip_header directive
or at the beginning of the context?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272653,275206#msg-275206

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Maxim Dounin
Hello!

On Thu, Jun 29, 2017 at 09:08:40AM -0400, foxgab wrote:

> if nginx is behind another proxy, that proxy set the X-Forwarded-for header
> with the real client ip, and the configration of nginx is :
>
> location / {
> proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
> real_ip_header    X-Forwarded-For;
> set_real_ip_from 192.168.0.0/16;
> }
>
> whether the real client ip or the address of the proxy will add in the
> X-Forwarded-For header?
> will the value of $remote_addr changes only after real_ip_header directive
> or at the beginning of the context?

The order of the directives in the nginx configuration is not
important (except a few cases where it is explicitly outlined,
like location blocks with regular expressions or rewrite module
instructions).  Directives merely set various options for request
processing, and it doesn't matter where you set the option.

The realip module, when configured in a location context, changes
client's address as seen by nginx right after the location
configuration is choosen (and the request is processed by the
rewrite module, if any), before access-related checks.

That is, in the configuration above the realip module will change
the client's address before the "proxy_set_header" directive will
use it.  As such, X-Forwarded-For as sent to the backend will
include client address set by the realip module, and the above
configuration will result in duplicate addresses in
X-Forwarded-For.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

S.A.N
hi Maxim,

Thinks for you reply.
i got a problem on http_realip_module, as what you said, duplicate addresses
occurred in that header.
if i want to get the real ip for access limiting, and append the last hop
proxy address in X-Forwarded-Fro header at the same time, what should i do?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272653,275258#msg-275258

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Maxim Dounin
Hello!

On Mon, Jul 03, 2017 at 04:57:31AM -0400, foxgab wrote:

> Thinks for you reply.
> i got a problem on http_realip_module, as what you said, duplicate addresses
> occurred in that header.
> if i want to get the real ip for access limiting, and append the last hop
> proxy address in X-Forwarded-Fro header at the same time, what should i do?

There are two basic options:

1. Avoid using the realip module.  You can still do access checks
using the "if" directive - and, for example, appropriate geo
blocks.

2. Avoid using $proxy_add_x_forwarded_for.  You may add the
original address yourself, using the $realip_remote_addr variable
and appropriate map{} blocks.

Alternatively, you may want to rethink your setup to simply avoid
one or the another.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...