Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong IP addresses when using reverse proxy #70

Closed
hjek opened this issue Nov 4, 2017 · 5 comments
Closed

Wrong IP addresses when using reverse proxy #70

hjek opened this issue Nov 4, 2017 · 5 comments

Comments

@hjek
Copy link

hjek commented Nov 4, 2017

When running news.arcbehind a Nginx reverse proxy, news.arc thinks that every request is coming from 127.0.0.1. This may be more of an Nginx bug, but since a reverse proxy is needed for HTTPS, it should apply to any production instance of news.arc.

Example from my anarki/www/logs/news-2017-**-**,

1509768160 127.0.0.1 nil item 706
1509826295 127.0.0.1 nil item 821

This may not be a big issue, but it could break the IP blocking used against spam. It would be good to include a well-working Nginx configuration file in this repository, if anyone has one that works.
@akkartik
Copy link
Member

akkartik commented Nov 4, 2017

Yes, I ran into this and fixed it years ago. Can you check if your Nginx is setting X-Forwarded-For correctly?

I haven't tried it in a while, so perhaps there's a regression.

(It's also mentioned in the list of gotchas. But that should only be for people using Arc 3.1 or the stable branch.)

@hjek
Copy link
Author

hjek commented Nov 4, 2017

It looks like I hadn't set it correctly. I have this (and can't remember where I got it from),

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE_ADDR $remote_addr;

Someone is suggesting this,

set_real_ip_from 127.0.0.1/32;
real_ip_header X-Forwarded-For;

But in the news.arc log everything is still just coming from 127.0.0.1.

Could you be a bit more specific on how to set the X-Forwarded-For "correctly"? (Nginx configuration is a jungle)

@akkartik
Copy link
Member

akkartik commented Nov 4, 2017

I don't have my old code handy.. ah, fortunately I open sourced it at some point!

https://github.com/akkartik/readwarp/blob/master/scripts/Nginx.conf

This worked for me back in 2010.

@hjek
Copy link
Author

hjek commented Nov 4, 2017

Actually, some of the older log entries show the correct IP,

1509522493 46.229.***.*** nil user User1 
1509522705 66.249.***.*** nil item 740  
1509522764 66.249.***.*** nil item 757    
1509522827 66.249.***.*** nil item 783  
1509523088 66.249.***.*** nil item 769  
1509523200 127.0.0.1 nil item 124 
1509523926 127.0.0.1 nil item 479     
1509525348 66.249.***.*** nil item 730  
1509526073 127.0.0.1 User2 newest   
1509526134 127.0.0.1 User2 submit  
1509526161 127.0.0.1 User2 create https://[redacted] 
1509526163 127.0.0.1 User2 newest

I know for sure that both User1 and User2 are remote users (i.e. not browsing the site on the server itself, or on the same local network), and I didn't change the server configuration in the period above. Yet one user shows up with the wrong IP.

Also, (set show-requests*) doesn't seem to work.

@hjek
Copy link
Author

hjek commented Nov 5, 2017
edited
Loading

https://github.com/akkartik/readwarp/blob/master/scripts/Nginx.conf

Yes, that did the trick! I'll put an basic Nginx config with this (and Lets Encrypt certs config) in this repo to make it more convenient for others.

Thanks!

@hjek hjek closed this as completed in b19fe33 Nov 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akkartik @hjek