Score:0

Server

client ip behind nginx reverse proxy

vespino

10/16/22, 7:59 PM

I'm running an nginx reverse proxy to be able to run multiple servers behind my firewall. I noticed on my (Kerio) mail server the error log is filled with "failed login from < local ip of nginx >" and I was wondering how can I set it so I get the remote IP of the person/bot that is trying to login so I might use that information for auto blocking those addresses (for example)?

This is my current config:

server {
    listen 8443 ssl http2;
    server_name mail.domain.com;

    location / {
        proxy_set_header Host $host;
        proxy_pass https://<internal ip>/;
        client_max_body_size 0;
        proxy_connect_timeout 3600;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;
        send_timeout 3600;
    }
}

Adding the following lines, results in more of the same:

proxy_set_header   X-Real-IP          $remote_addr;
proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;

263

2 + 7

nginx

reverse-proxy

kerio

Michael Hampton

10/16/22, 8:07 PM

You already passed along the IP address. Whatever software you passed it to must now deal with it.

vespino

10/16/22, 8:09 PM

Crap. So basically a no-go is what you're saying since my mailserver shows the local ip only?

Michael Hampton

10/16/22, 8:10 PM

You didn't say what you are passing it to, but generally most software has some way of dealing with this. You should say what you are passing it to.

vespino

10/16/22, 8:11 PM

Kerio mailserver is what I'm passing it to.

Michael Hampton

10/16/22, 8:19 PM

I don't see anything relevant from a quick look through the manual. You should edit your question so that perhaps people familiar with Kerio will be alerted to its existence.

Mark Wagner

10/16/22, 11:12 PM

https://forums.kerio.com/index.php?t=msg&goto=147601& has info on what to do for Kerio.

vespino

10/17/22, 6:07 AM

Thanks for pointing me to that post. It doesn't work right away, but I'll reach out on the forum to try and get it fixed.

Score:0

Server

Barry Gleeson

10/16/22, 8:52 PM

X-Forwarded-For is the feature you need and this will add a http header containing the original client IP. From what you are saying the Kerio Application is ignoring this and just using the Source IP (which is the nginx) in the Logs. Perhaps there is an option to analyse and use this that can be configured on the application.

0 + 2

Michael Hampton

10/16/22, 8:55 PM

So what is the option? This post is useless without that information.

Barry Gleeson

10/16/22, 9:07 PM

Like you said there is nothing in the docs on how to configure this in Kerio. since the Q was in relation to the nginx config its worth calling out that this is correct as the forwarded for header is being added.

Score:0

Server

vespino

10/17/22, 10:14 AM

Just found out my mail server (Kerio) does nothing with the information forwarded by the reverse proxy, so the only thing I can do is hope for an update that does.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: client ip behind nginx reverse proxy

TH: ip ไคลเอนต์ที่อยู่เบื้องหลัง nginx reverse proxy

RO: ip client în spatele proxy-ului invers nginx

RU: IP-адрес клиента за обратным прокси-сервером nginx

VI: ip máy khách đằng sau proxy ngược nginx

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.