0

I am using an nginx server to forward requests to a routing service that filters requests based on IP. This routing service is returning a 403 because the X-Forwarded-For header is missing from the request. This is expected behaviour. I am trying to explicitly set this header, so as to avoid this error. I have the below in my entrypoint.sh file in this repo:

#!/bin/bash

set -euo pipefail

# Validate environment variables
#: "${PUBLIC_HOST:?Set PUBLIC_HOST using --env}"
#: "${SERVER:?Set SERVER using --env}"
#: "${SECRET_TOKEN:?Set SECRET_TOKEN using --env}"
: "${SERVER:?Set SERVER using --env}"

echo ">> generating self signed cert"
openssl req -x509 -newkey rsa:4086 \
-subj "/C=XX/ST=XXXX/L=XXXX/O=XXXX/CN=localhost" \
-keyout "/key.pem" \
-out "/cert.pem" \
-days 3650 -nodes -sha256

cat <<EOF >/etc/nginx/nginx.conf
user nginx;
worker_processes 2;
events {
  worker_connections 1024;
}

http {
  upstream upstream_server{
      server ${SERVER};
  }


  log_format main '\$http_x_forwarded_for - \$remote_user [\$time_local] '
                  '"\$request" \$status \$body_bytes_sent "\$http_referer" '
                  '"\$http_user_agent"' ;

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log;
  server_tokens off;
  server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /cert.pem;
    ssl_certificate_key /key.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
    include /etc/nginx/mime.types;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    set_real_ip_from 172.16.0.0/20;
    set_real_ip_from 10.0.0.0/8;
    set_real_ip_from 192.168.0.0/16;
    client_max_body_size 600M;
  
    location / {
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://upstream_server;
    } 
  }
}
EOF

echo "Running nginx..."

# Launch nginx in the foreground
/usr/sbin/nginx -V -g "daemon off;"

When the server is starting up, it errors, complaining that proxy_add_x_forwarded_for is an unbound variable. I've tried changing this line to proxy_set_header X-Forwarded-For "$http_x_forwarded_for, $realip_remote_addr"; as per this answer, but realip_remote_addr gives me the same unbound variable error. I've checked and can see that the ngx_http_proxy_module and realip modules are both running, so I don't understand why these variables aren't being picked up. I haven't worked much with nginx (or shell scripts tbh). Am I missing something obvious here?

Gabe Naughton
  • 41
  • 1
  • 4

0 Answers0