Forward Real Client IP from Nginx to Haproxy

Question

My point of entry is Nginx. For all /api requests, I have setup haproxy. I want to send client IP address from nginx to haproxy when someone tries to hit https://yourdomain.com/api/ . I have defined a location for /api and defined the following headers

location /api/ {
           proxy_pass https://MY-API-URL/;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass_request_headers      on;
}

When I am getting the value of X-Real-IP, it is the client IP but I want this client IP to be there in Haproxy because I want to set rate limiting on the basis of client IP. Please let me know what is correct way of doing it.

Answer 1

When you're proxying from NGginx to Haproxy, all the connections are coming from the same ip/machine (nginx ). If you want to proxy based on the client's IP, then you've got to tell HAProxy to balance based on either the X-Real-IP or X-Forwarded-For headers that you're setting in Nginx.

Your new Nginx config would look like this:

location /{
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ( if use X-Forwarded-For )
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Real-IP $remote_addr; ( if use X-Real-IP )
            proxy_pass_request_headers on;
            proxy_pass http://myip:myport;

}

Your new HAProxy config would look like this if you used X-Real-IP:

backend webapp
  balance hdr(X-Real-IP)
  hash-type consistent 
  mode http
  server server1 ip:port check port 8080
  server server2 ip:port check port 8080

Your new HAProxy config would look like this if you used X-Forwarded-For:

backend webapp
  balance hdr(X-Forwarded-For)
  hash-type consistent 
  mode http
  server server1 ip:port check port 8080
  server server2 ip:port check port 8080

This configuration work fine for me! Regards