Facebook
Twitter[PPPM-2672] How set nginx to show real IP?
- Thread starter Azurel
- Start date
Actually special modules for this purpose should be enabled by default in Apache - mod_rpaf (for Apache 2.2) or mod_remoteip (for Apache 2.4)
So, all should works as expected for IPv4 by default, but I'm not sure that there is the same behaviour for IPv6.
Please make sure that this module is loaded and all works fine for IPv4 addresses.
So, all should works as expected for IPv4 by default, but I'm not sure that there is the same behaviour for IPv6.
Please make sure that this module is loaded and all works fine for IPv4 addresses.
Hello Azurel,
The issue is not fixed yet in Plesk (it's internal id is PPPM-2672). You can temporary workaround it by changing "$ipAddress->proxyEscapedAddress" to "$ipAddress->escapedAddress" in custom templates (please note that it's recommended to remove such customization when this bug will be fixed).
The issue is not fixed yet in Plesk (it's internal id is PPPM-2672). You can temporary workaround it by changing "$ipAddress->proxyEscapedAddress" to "$ipAddress->escapedAddress" in custom templates (please note that it's recommended to remove such customization when this bug will be fixed).
Code:
[root@a10-52-53-101 ~]# mkdir /usr/local/psa/admin/conf/templates/custom
[root@a10-52-53-101 ~]# mkdir /usr/local/psa/admin/conf/templates/custom/server
[root@a10-52-53-101 ~]# cp /usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/custom/server
[root@a10-52-53-101 ~]# diff --ignore-all-space /usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/custom/server/nginxVhosts.php
30c30
< proxy_pass https://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort']; ?>;
---
> proxy_pass https://<?php echo $ipAddress->escapedAddress . ':' . $OPT['backendPort']; ?>;
32c32
< proxy_pass http://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort']; ?>;
---
> proxy_pass http://<?php echo $ipAddress->escapedAddress . ':' . $OPT['backendPort']; ?>;
[root@a10-52-53-101 ~]# mkdir /usr/local/psa/admin/conf/templates/custom/domain
[root@a10-52-53-101 ~]# mkdir /usr/local/psa/admin/conf/templates/custom/domain/service/
[root@a10-52-53-101 ~]# cp /usr/local/psa/admin/conf/templates/default/domain/service/proxy.php /usr/local/psa/admin/conf/templates/custom/domain/service/
[root@a10-52-53-101 ~]# diff /usr/local/psa/admin/conf/templates/default/domain/service/proxy.php /usr/local/psa/admin/conf/templates/custom/domain/service/proxy.php
8c8
< proxy_pass https://<?php echo $OPT['ipAddress']->proxyEscapedAddress . ':' . $OPT['backendPort'] ?>;
---
> proxy_pass https://<?php echo $OPT['ipAddress']->escapedAddress . ':' . $OPT['backendPort'] ?>;
10c10
< proxy_pass http://<?php echo $OPT['ipAddress']->proxyEscapedAddress . ':' . $OPT['backendPort'] ?>;
---
> proxy_pass http://<?php echo $OPT['ipAddress']->escapedAddress . ':' . $OPT['backendPort'] ?>;
[root@a10-52-53-101 ~]# /usr/local/psa/admin/sbin/httpdmng --reconfigure-allStéphane Besuchet
New Pleskian
Hello,
I have trouble with this issue but the Plesk server is on version 12.5.30 Update #30 on Linux Debian 7.10.
On the vhosts templates, the correction has been applied with the patch for PPPM-2672. Unfortunately the proxy seems to communicate with Apache via the public IP not loopback as source in IPv6. The apache module mod_rpaf is only configured to have loopback adresses for the proxy (/etc/apache2/mods-enabled/rpaf.conf)
I had to add my public IPv6 addresses on RPAproxy_ips in order to remplace the source ip adresse with the real remote ip adresses :
I'm quite sure that changing the vhost template back to something like this would also work :
Is it a known new bug on you side ?
Thanks a lot,
Stéphane
I have trouble with this issue but the Plesk server is on version 12.5.30 Update #30 on Linux Debian 7.10.
On the vhosts templates, the correction has been applied with the patch for PPPM-2672. Unfortunately the proxy seems to communicate with Apache via the public IP not loopback as source in IPv6. The apache module mod_rpaf is only configured to have loopback adresses for the proxy (/etc/apache2/mods-enabled/rpaf.conf)
Code:
<IfModule rpaf_module>
RPAFenable On
# When enabled, take the incoming X-Host header and
# update the virtualhost settings accordingly:
RPAFsethostname On
# Define which IP's are your frontend proxies that sends
# the correct X-Forwarded-For headers:
RPAFproxy_ips 127.0.0.1 ::1
# Change the header name to parse from the default
# X-Forwarded-For to something of your choice:
# RPAFheader X-Real-IP
</IfModule>I had to add my public IPv6 addresses on RPAproxy_ips in order to remplace the source ip adresse with the real remote ip adresses :
Code:
<IfModule rpaf_module>
# Define which IP's are your frontend proxies that sends
# the correct X-Forwarded-For headers:
RPAFproxy_ips 127.0.0.1 ::1 2001::[...]:27 2001::[...]:28
</IfModule>I'm quite sure that changing the vhost template back to something like this would also work :
Code:
proxy_pass https://<?php '[::1]:' . $OPT['backendPort']; ?>;
or
proxy_pass https://<?php '127.0.0.1:' . $OPT['backendPort']; ?>;Is it a known new bug on you side ?
Thanks a lot,
Stéphane
Stéphane Besuchet
New Pleskian
Hello Ruslan,
I do not use custom templates, I tried to use them but $ipAddress->proxyEscapedAddress has the same value as $OPT['ipAddress']->escapedAddress which is the public IP, so it has no difference on the generated configuration. As I understand on your first post, this is normal.
Unfortunately using public IP in proxy_pass instead of loopback adresse does show the server IP instead of the real remote IP in Apache logs.
I found the trick to solve this issue by changing the rpaf Apache module configuration, but with the stantard configuration of Plesk on my server the remote IPv6 is the server public IPv6, even if PPPM-2672 is effectively solved.
I do not have this issue with IPv4 even if public IP is also used in proxy_pass.
Thanks,
Stéphane
I do not use custom templates, I tried to use them but $ipAddress->proxyEscapedAddress has the same value as $OPT['ipAddress']->escapedAddress which is the public IP, so it has no difference on the generated configuration. As I understand on your first post, this is normal.
Unfortunately using public IP in proxy_pass instead of loopback adresse does show the server IP instead of the real remote IP in Apache logs.
I found the trick to solve this issue by changing the rpaf Apache module configuration, but with the stantard configuration of Plesk on my server the remote IPv6 is the server public IPv6, even if PPPM-2672 is effectively solved.
I do not have this issue with IPv4 even if public IP is also used in proxy_pass.
Thanks,
Stéphane
Similar threads
