Nginx restore real IP address when behind a reverse proxy

M y Nginx web server is behind a reverse proxy server. How do I restore the original and real IP address of my client/visitors when behind a reverse proxy server such as AWS Cloudfront, Fastly, Cloudflare CDN/WAF?

When our web server is behind a reverse proxy, we see the reverse proxy IP logged into log files. But we need the user’s real ip address. Let us see how to get real user’s IP address in nginx behind a reverse proxy server and restore actual IP address using the ngx_http_realip_module

Nginx restore real IP address with the ngx_http_realip_module

First let us see if Nginx compiled and loaded with ngx_http_realip_module using the following command:

nginx -V 2>&1 | egrep --color -o 'http_realip_module'

nginx -V 2>&1 | egrep --color -o 'realip_module' 

Sample outputs indicating that my Nginx compiled with required module:

--with-http_realip_module

Step 1 – Restoring visitor IPs by setting header name in Nginx

Step 2 – Get user real ip in nginx behind reverse proxy

set_real_ip_from ipv4_addresss;

set_real_ip_from ipv6_address;

set_real_ip_from sub/net;

set_real_ip_from CIDR;

Step 3 –Restart nginx server

Step 4 – Cloudflare helper scripts to deal with the Forwarded header for Nginx

Revers proxy service providers such as Cloudfront, Fastly, Cloudflare, and others have numerous IPv4 and IPv6 addresses/Classless inter-domain routing (CIDR). Typically they publish a list of all IPv4/IPv6, and we can script it out as per our need. Let us see how to automate it using Cloudflare.

Create a shell script to fetch all Cloudflare IP address

sudo vi /root/bin/restoring-original-visitor-ips.sh
Append the following bash code:

#!/usr/bin/env bash
# Purpose: Get user real ip in nginx behind Cloudflare reverse proxy
# Author: Vivek Gite {https://www.cyberciti.biz} under GNU GPL v2.x+
# Call using Cron https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/
# -------------------------------------------------------------------
set -e
 
# IP List 
IPv4="https://www.cloudflare.com/ips-v4"
IPv6="https://www.cloudflare.com/ips-v6"
 
# Nginx config file
conf="/etc/nginx/vhosts.d/cloudflare.conf"
 
# Path to nginx binary 
nginx_cmd="/usr/sbin/nginx"
file="/tmp/ips.$$"
 
# Get list
wget -q "${IPv4}" -O -> "${file}"
wget -q "${IPv6}" -O ->> "${file}"
 
# Start building config file
echo 'real_ip_header CF-Connecting-IP;' > "${conf}"
 
while read i 
do 
	echo "set_real_ip_from ${i};" >> "${conf}"
done < "${file}"
 
# Check for syntax error and reload the nginx 
${nginx_cmd} -qt && ${nginx_cmd} -s reload
 
# Clean up
rm -f "${file}"

Set up daily or weekly Linux/Unix cron job

'/etc/cron.d/restoring-original-visitor-ips.sh' -> '/root/bin/restoring-original-visitor-ips.sh'

To be honest weekly cron job is more than sufficient:

sudo ln -v -s /root/bin/restoring-original-visitor-ips.sh /etc/cron.weekly/

Test it

We are not going to wait for the cron job. So let us run our script manually:

sudo /etc/cron.d/restoring-original-visitor-ips.sh

Step 5 – Verification

139.1.2.3 - - [07/May/2020:12:16:24 +0000] "GET / HTTP/1.1" 200 3032 "https://www.google.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
142.2.3.4 - - [07/May/2020:12:16:25 +0000] "GET /style.css HTTP/1.1" 200 399 "https://www.cyberciti.biz/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
1.2.3.4 - - [07/May/2020:12:16:25 +0000] "GET /images/logo.png HTTP/1.1" 200 34001 "https://www.cyberciti.biz/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"

Conclusion

In this tutorial, you learned how to retrieve actual client IP addresses and get the real IP address of visitors when your Nginx web server is behind a reverse proxy server. Further, you learned how to automate the process using a simple shell script for Nginx to restore a real IP address. See Nginx docs here for more info.