Question

How do I forward client IP instead of proxy IP in Nginx Reverse Proxy?

Overview

I have a setup that looks like this:

  • Nginx Reverse Proxy with a Floating IP
  • Reverse Proxy is configured to forward requests from users to a 3rd party SaaS application, BigCommerce which then handles the response to the user.

I’m unable to set Trusted IPs/Proxies in the BigCommerce application environment, therefore the client IP is always showing as the last connecting proxy instead of the client IP. Due to how ordering in BigCommerce is tracked, all orders are being marked as ‘potential fraud’ because of an IP location mismatch between the IP being logged and the customer making the order.

My Setup

I’ve been asked what headers I’m sending via the Reverse proxy and it looks like this:

proxy_pass_header  Set-Cookie;

proxy_set_header   Host               $host;
proxy_set_header   X-Real-IP          $remote_addr;
proxy_set_header   X-Forwarded-Proto  $scheme;
proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;

From what I can see and have been shown from the BigCommerce, the X-Forwarded-For headers are being sent with the correct IPs in the correct order (client_ip, proxy_ip), but X-Real-IP shows as the proxy_ip instead of the client_ip.

Their suggestions have been to override the X-Real-IP header from the Reverse Proxy and I can’t seem to be able to do so. From questions I’ve asked in other online communities, I’ve received suggestions on overriding the $remote_addr with proxy_bind, but that requires running Nginx as a superuser and messing with IP tables.

My Question

Is it possible that the droplet configuration (Possible NAT issue?) is what’s causing the IP to show as the proxy_ip instead of the client_ip or is what I have configured missing something crucial in my setup to ensure the reverse proxy doesn’t overwrite the X-Real-IP with its own public IP address.

Any help or suggestions are greatly appreciated. I’ve also looked into proxy_protocol, but I don’t know if that fits my situation and if that requires BigCommerce to support proxy_protocol in order to correctly identify the client_ip.

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Server EnthusiastMarch 2, 2020
Accepted Answer

Hi @cvanorman

I think that what you have in place is correct in terms of the 4 headers that you’ve configured already.

What is the output of the Nginx access logs? Are you seeing the correct IP there?

skyrceeebSeptember 30, 2020

@cvanorman @beebee11 I think you should look at the ngx_http_realip_module.

add to reverse proxy server on the application side

http {
...


set_real_ip_from $IP_LOAD_BALANCER;
real_ip_header X-Forwarded-For;

...
}
beebee11July 16, 2020

Hey @cvanorman were you able to find a solution for this? I am too stuck with the same issue.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
© 2023 DigitalOcean, LLC.Sitemap.