nginx proxy to apache - Remote IP not recorded

Question

I have nginx terminating websites and proxying them to Apache with PHP-FPM. I'm trying to record the Clients IP in the apache log, but cannot seem to get this to work.

nginx configuration

server {
  listen         80;
  server_name    www.website.com;

  location ^~ /.well-known/acme-challenge/ {
      alias /var/www/dehydrated/;
  }

  location / {
      return         301 https://$server_name$request_uri;
  }
}

server {
  listen 443 ssl http2;
  server_name www.website.com;

  location / {
      proxy_pass http://1.2.3.4:80;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_read_timeout 600;
      proxy_buffer_size   128k;
      proxy_buffers   4 256k;
      proxy_busy_buffers_size   256k;
      client_max_body_size 100M;
  }

  location ~ /\.ht {
      deny all;
  }

  ssl_certificate_key /etc/nginx/ssl/www.website.com/privkey.pem;
  ssl_certificate /etc/nginx/ssl/www.website.com/fullchain.pem;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/ssl/dhparams.pem;
}

apache configuration

  <VirtualHost *:80>

    ServerName www.website.com
    ServerAlias origin.www.website.com

    ServerAdmin jd@automatem.co.nz

    DocumentRoot /var/www/www.website.com/trunk

    <IfModule mpm_itk_module>
          AssignUserId www_arenz www_arenz
    </IfModule>
    CustomLog /var/www/www.website.com/apachelogs/www.website.com-access.log combined
    ErrorLog /var/www/www.website.com/apachelogs/www.website.com-error.log

      <FilesMatch "\.php$">
          CGIPassAuth on
          SetHandler "proxy:fcgi://127.0.0.1:9115/
      </FilesMatch>

      RemoteIPHeader X-Real-IP
      RemoteIPTrustedProxy 2.3.4.5/32


  </VirtualHost>

Apache logs always show 2.3.4.5 as the IP address of the client, which is the public IP address of nginx

Maybe the order of the directives matters?! E.g., try to put the `RemoteIPHeader` before the `CustomLog`. — cnst, Feb 04 '19 at 03:11
TBH, I'm not sure why you're even using Apache if all it's doing is static+fcgi. Why not move the whole thing to nginx? — cnst, Feb 04 '19 at 06:48
@cnst end user needs to use .htaccess, too hard to teach otherwise, secondly, there is Varnish between nginx and apache, but not always — jdog, Feb 04 '19 at 07:16
wait, so, how do you know it's not varnish that's affecting the headers? you probably have to do more troubleshooting yourself to find out what's wrong. — cnst, Feb 04 '19 at 22:38

score 2 · Accepted Answer · answered Feb 05 '19 at 12:48

You could try this solution:

Apache doesn't log remoteIP when RemoteIPHeader X-Forwarded-For is present

# Log format config
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" common env=forwarded

# Header config
RemoteIPHeader X-Real-IP
RemoteIPHeader X-Client-IP
RemoteIPInternalProxy 192.168.10.10 192.168.10.11

Furthermore, log combined use %h. Setting %a, it tells to Apache to log the client IP as recorded by mod_remoteip (%a) rather than hostname (%h)

For your reference:

https://httpd.apache.org/docs/2.4/logs.html#accesslog

https://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html

Hope this can help you

"Furthermore, log combined use %h. Setting %a, it tells to Apache to log the client IP as recorded by mod_remoteip (%a)" This was really the only missing piece of information — jdog, Feb 07 '19 at 20:38

score 1 · Answer 2 · answered Feb 23 '19 at 12:39

You can also use rpaf apache module instead of RemoteIP directive, set it in httpd.conf

  <IfModule rpaf_module>                                                                                                                                                                                                                                                 
      RPAF_Enable On                                                                                                                                                                                                                                                     
      RPAF_SetHostName On                                                                                                                                                                                                                                                
      RPAF_ProxyIPs 2.3.4.5                                                                                                                                                                                                                                        
      RPAF_Header X-Forwarded-For                                                                                                                                                                                                                                        
  </IfModule>

Then just add a new log format like this

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded

CustomLog "/var/log/httpd-access.log" forwarded

Works a treat here with nginx as proxy + apache + php-fpm

nginx proxy to apache - Remote IP not recorded

2 Answers2