nginx doesn't forward ip in headers to apache (rpaf is enabled)

9,296

Solution 1

That's the correct behavior. Because only your applications (run on Apache) see the real IP. For example, install a sample application such as WordPress and install real-time analytics such as Piwik. Insert the Piwik code in WordPress footer and visit your WordPress site (after logging out). Now the Piwik would show the real IP instead of what is set at RPAFproxy_ips.

BTW, the /etc/apache2/mods-enabled/rpaf.conf file is missing one important directive. It should have RPAFheader. For example, my configuration file look like this...

<IfModule mod_rpaf.c>
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 127.0.0.1
    RPAFheader X-Forwarded-For
</IfModule>

You may also use X-Real-IP in place of X-Forwarded-For. In either case, please make sure nginx is configured to send real IP in its header. For example, if you use X-Forwarded-For, then your nginx configuration should contain the following...

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;

Solution 2

Change the <IfModule ""> reference from mod_rpaf.c to rpaf_module.

This fixed the issue for me on Debian Squeeze and Ubuntu 12.04.

Share:
9,296

Related videos on Youtube

rush
Author by

rush

Updated on September 18, 2022

Comments

  • rush
    rush over 1 year

    I'm trying to set up nginx as front-end and apache as back-end on my server. All goes as usual, I've installed libapache2-mod-rpaf. But apache doesn't see real client ip and some .htaccess restrictions based on ip don't work at all, cause apache sees only local ip.

    Here is nginx vhost configuration^

    server {
        listen 80;
        server_name domain;
        location ~* ^/(admin/|dump/|) {
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://127.0.0.1:8080;
            proxy_redirect http://domain:8080/ /;
        }
        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://127.0.0.1:8080;
            proxy_redirect http://domain:8080/ /;
        }
        location ~* ^.+\.(jpg|swf|flv|ico|txt|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar)$ {
            access_log /var/www/logs/domain.nginx.access.log;
            error_page 404 = @fallback;
            if ( $host ~* ^((.*).domain)$ ) {
                set $proot /var/www/$1;
                break;
            }
            if ( $host = "domain" ) {
                break;
            }
    
            root /var/www/domain;
        }
        location @fallback {
            proxy_pass http://127.0.0.1:8080;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
    

    And here is apache vhost configuration:

    <VirtualHost *:8080>
        ServerName domain
        DocumentRoot /var/www/domain
        DirectoryIndex index.php
        CustomLog /var/www/logs/domain.access.log combined
        ErrorLog /var/www/logs/domain.error.log
        ServerAdmin info@domain
        AddDefaultCharset utf8
        php_admin_value open_basedir "/var/www/mod-tmp:.:/var/www/domain"
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@domain"
        php_admin_value upload_tmp_dir "/var/www/mod-tmp"
        php_admin_value session.save_path "/var/www/mod-tmp"
        AddType application/x-hwikipd-php .php .php3 .php4 .php5 .phtml
        AddType application/x-hwikipd-php-source .phps
    <Directory /var/www/domain>
        Options All
        AllowOverride All
    </Directory>
    </VirtualHost>
    

    As I can see in nginx log:

    xxx.yyy.98.14 - - [28/Jan/2012:02:08:29 +0400] "GET / HTTP/1.0" 403 179 "-" "w3m/0.5.3"
    

    It sees my real ip.

    But in apache log it sees only local ip:

    127.0.0.1 - - [28/Jan/2012:02:08:29 +0400] "GET / HTTP/1.0" 403 390 "-" "w3m/0.5.3"
    

    rpaf is enabled.

    $ cat /etc/apache2/mods-enabled/rpaf.conf 
    <IfModule mod_rpaf.c>
        RPAFenable On
        RPAFsethostname On
        RPAFproxy_ips 127.0.0.1 ::1
    </IfModule>
    $ cat /etc/apache2/mods-enabled/rpaf.load 
    LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf.so
    $ ls -l /usr/lib/apache2/modules/mod_rpaf.so
    -rw-r--r-- 1 root root 8488 Oct 17 20:47 /usr/lib/apache2/modules/mod_rpaf.so
    

    So, what is wrong?

    ps. I have restarted nginx and apache several times after saving this configs, but there are no any changes.

  • rush
    rush over 12 years
    hm, I changed rpaf.conf and nginx vshost settings as you said and restarted apache and nginx, but nothing changed. Do I need to do something else? btw, I checked the same settings on another host and everything works well.
  • Pothi Kalimuthu
    Pothi Kalimuthu over 12 years
    I'm sorry, I shared what I've known. May be someone else might help you further, thanks.
  • Pothi Kalimuthu
    Pothi Kalimuthu over 12 years
    Okay, instead of RPAFheader X-Forwarded-For, please try RPAFheader X-Real-IP. Thanks.
  • Tuinslak
    Tuinslak almost 10 years
    This solved it for me. Lots of guides use mod_rpaf and not rpaf_module. Be sure to place it in your vhosts, and not in your apache2.conf as well.