Question Getting X-Forwarded-For IP address from behind a nginx proxy server

[philglau]

Server operating system version

ubuntu 22.04

Plesk version and microupdate number

18.0.65

I've got a Plesk server sitting behind a Ngnix Proxy Manager.

I am receiving correct HTTP_X_FORWARDED_FOR & HTTP_X_REAL_IP from the ngnix proxy on requests forwarded to domains on the Plesk server. Here's my topology:


However, I can't figure out how to get the Apache log files to show the HTTP_X_REAL_IP address in the log entries instead of the IP address of the proxy server.

For example when I access a test script on one of my domains on 192.168.2.90 I see an access_ssl_log entry like:

192.168.2.2 - - [30/Nov/2024:13:03:58 -0800] "GET /test.php HTTP/1.1" 200 5128 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"

Unfortunately 192.168.2.2 is the IP address of my nginx proxy manager rather than the external IP address of the client.

I've got the 'remoteip' module enabled under Tools & Settings => Apache Web Server Settings

For the domain in question I've added the following directive to Websites & Domains => Apache and nginx Settings for mydomain.com=> Additional directives for HTTP & HTTPS:

RemoteIPHeader X-Forwarded-For

a2enmod remoteip

shows that the module is already active.

I also tried changing the apache log format following these direction. I adjusted %a to be ${c}a as per Apache Module mod_log_config but that didn't seem to make any difference either. Either set to %a or %{c}a both end up showing 192.168.2.2

So to recap: My test scripts on the domain in question can recover the correct values from HTTP_X_REAL_IP, I just can't figure out how to get the correct remote IP address into the apache log files.

Thank you in advance for any help you might be able to provide.

 

[scsa20]

Please refer to the following 2 articles:

https://support.plesk.com/hc/en-us/articles/19222049710743-How-to-set-up-nginx-to-log-real-client-IP-address-when-the-Plesk-server-is-behind-an-external-proxy-server

https://support.plesk.com/hc/en-us/articles/12377061126807-Incorrect-IP-addresses-are-logged-in-the-access-logs-of-Plesk-domains-behind-a-Cloudflare-CDN-proxy-or-Google-Cloud-Load-Balancing

Those 2 articles should help you out (please note that the first article does have 3 tabs you can refer to depending on if you're trying to do it at per or all domains)

 

[Raul A.]

On the Nginx server, in the location block that forwards to the Plesk server you need the following headers sent to the Plesk server:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

You can also SSL offload the traffic on the Nginx server by using http:// in proxy_pass:

proxy_pass http://$plesk_server_address;

But you should also add this header:

proxy_set_header Ssl-Offloaded "1";

Restart Nginx.

On the Plesk side, declare the Nginx server as a trusted proxy in /etc/nginx/conf.d/mod_real_ip.conf

set_real_ip_from 192.2.2.2;
real_ip_header X-Real-IP;
real_ip_recursive on;

Restart Nginx.

 

[mow]

For the domain in question I've added the following directive to Websites & Domains => Apache and nginx Settings for mydomain.com=> Additional directives for HTTP & HTTPS:

RemoteIPHeader X-Forwarded-For

Don't forget to set

RemoteIPInternalProxy 192.168.2.2

too.

 

[philglau]

Thank you @scsa20 your links were helpful. In particular the first link solved the problem.

@mow thank you as well, I'm going to try using the SSL offload as well.