Menu

Show real ip address when behind Nginx

Open Discussion
milauria
2017-07-14
2017-07-14

  • milauria

    milauria - 2017-07-14

    I run z-push with the Zimbra backend behind a reverse proxy with nginx.
    The z-push log file it shows the IP address of the nginx gateway and not the real address

    In nginx I have set:

    proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;

    any way to have z-push to log the real ip address of the remote device connecting ?
    I need this for an effective fail2ban setup
    thanks for any advise

     

    Last edit: milauria 2017-07-14

    • LiverpoolFCfan

      LiverpoolFCfan - 2017-07-14

      Have you configured this setting in the z-push config.php file?

      // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
define('USE_X_FORWARDED_FOR_HEADER', true);
       

      • milauria

        milauria - 2017-07-14

        Fantastic, this works perfectly … my overlook on the z-push settings … thanks a lot for the hint from a very happy user !

        On 15 Jul 2017, at 00:54, LiverpoolFCfan liverpoolfcfan@users.sf.net wrote:

        Have you configured this setting in the z-push config.php file?

        // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
        define('USE_X_FORWARDED_FOR_HEADER', true);
        Show real ip address when behind Nginx https://sourceforge.net/p/zimbrabackend/discussion/998911/thread/69e9406d/?limit=25#de5c/5784
        Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/zimbrabackend/discussion/998911/ https://sourceforge.net/p/zimbrabackend/discussion/998911/
        To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/ https://sourceforge.net/auth/subscriptions/

         

        • LiverpoolFCfan

          LiverpoolFCfan - 2017-07-14

          You are welcome. Happy it worked for you. I use it all the time myself.

          It also gets added to the CURL calls from the zimbra backend so that additional information is available in the mailbox.log file for the z-push calls. This can be useful for debugging purposes also. For example

          2017-07-14 00:06:23,965 INFO [qtp509886383-17878:http://192.168.200.10:8080/service/soap/] [name=userName;mid=11;ip=192.168.200.10;oip=213.233.132.156, 192.168.200.100;ua=Android-SAMSUNG-SM-G920F/101.700(...f5d123) devip=213.233.132.156 ZPZB/66.1;] soap - (batch) GetFolderRequest elapsed=0

          You can see the call came from the z-push server 192.168.200.100 in this case, but also in the ua string you can see the Device Type that made the request and the last 6 chars of the deviceID. In devip you get the device IP address, and the zimbra backend version.

           

  • milauria

    milauria - 2017-07-14

    I did that and the zimbra audit.log reads correctly the remote ip ... problem is the z-push log that writes the ip of the front-end reverse proxy and not the remote ip …

     

    Last edit: milauria 2017-07-14

  • Maxxer

    Maxxer - 2017-07-14

    Try with:

        real_ip_header X-Forwarded-For;
    set_real_ip_from ZIMBRA_SERVER_IP;
     

  • milauria

    milauria - 2017-07-14

    This is in the nginx.conf of the reverse proxy?
    you mean something like this:

    proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
real_ip_header X-Forwarded-For;
set_real_ip_from 192.168.0.xxx;

    am I setting variables values with the above ?

     

  • Maxxer

    Maxxer - 2017-07-14

    I'm not fully understanding your configuration...

    Do you have
    public -> nginx proxy (zpush) -> zimbra
    or something else?

     

  • milauria

    milauria - 2017-07-14

    I have public --> nginx reverse proxy (ip 192.168.0.100) --> zimbra & z-push on the same server ip 192.168.0.110

    On the zimbra server 192.168.0.110 ... zimbra is listening on 8443 and z-push/httpd is listening on 443 ...

     

    Last edit: milauria 2017-07-14

  • Maxxer

    Maxxer - 2017-07-14

    So you're not seeing the real IP on httpd (I suppose apache). You need to install mod_rpaf

    https://zeldor.biz/2011/01/nginx-apache2-real-ip/

     

  • milauria

    milauria - 2017-07-14

    Thanks heaps for the hint ... I would have never though about it!

    Under Centos7 I saw that I need to donwload the tar manually etc ... following the "keep it simple" philosophy, should I better uninstall apache and install a plain nginx also on the zimbra server for the z-push so that it can better communicate with the upstream nginx reverse-proxy ?

    I though to use this configration for z-push with nginx: https://zignar.net/2012/04/14/z-push/
    Thanks for any advice, I will try anyway and report here the result

     

    Last edit: milauria 2017-07-14

  • Maxxer

    Maxxer - 2017-07-14

    Usually I leave Zimbra on port 443, and then patch zimbra's nginx to forward /Microsoft-Server-ActiveSync to a local apache/nginx on port (i.e.) 444. But this implies patching zimbra after every upgrade.
    Otherwise you can keep your current config but serve the AS url directly from the nginx proxy, without passing it over to apache.

     

  • milauria

    milauria - 2017-07-14

    This is very interesting ..so you are saying that from the reverse proxy server 192.168.0.100 I can put something like the below with no need of apache on zimbra server?

            listen 192.168.0.100:443 http2 ssl;
        location /Microsoft-Server-ActiveSync {
         proxy_pass https://192.168.0.110:443/usr/share/z-push/index.php ;
        }
     

    Last edit: milauria 2017-07-14

    • Maxxer

      Maxxer - 2017-07-14

      Not exaclty. nginx should serve also as an http server, and proxy /zimbra and its stuff.

      https://zignar.net/2012/04/14/z-push/

       

Log in to post a comment.