In the realm of web servers, accurate logging of client IP addresses is crucial for security, analytics, and compliance purposes. However, when Nginx is deployed behind a reverse proxy, load balancer, or CDN, the IP addresses logged may not reflect the actual client IP addresses. This is where the Nginx Real IP module comes into play.

I. What is Nginx Real IP Module?

The Nginx Real IP module is a powerful extension for Nginx that allows the server to obtain the real client IP address from the headers forwarded by a proxy or load balancer. By using this module, Nginx can ensure that the correct client IP addresses are logged in server access logs.

II. Why Use Nginx Real IP Module?

  1. Accurate Logging: By obtaining the real client IP address, the Nginx Real IP module ensures that server access logs accurately reflect the origins of incoming requests. This is essential for security analysis, troubleshooting, and compliance audits.

  2. IP-based Access Control: Many applications rely on IP-based access control to restrict access to certain resources. The Nginx Real IP module enables precise enforcement of access control rules based on the actual client IP address.

  3. Geolocation and Analytics: Accurate client IP addresses are necessary for geolocation services and analytics tools to provide insights into user demographics, behavior, and traffic patterns.

III. Installation and Configuration

To enable the Nginx Real IP module, follow these steps:

  1. Install Nginx with Real IP Module: Ensure that Nginx is compiled with the Real IP module. Most distributions include this module by default. If you’re compiling Nginx from source, use the --with-http_realip_module option.

  2. Configure Nginx: Add the following configuration to your Nginx server block or nginx.conf file:

    set_real_ip_from <IP_Range>;
real_ip_header X-Forwarded-For;

    Replace <IP_Range> with the IP address range of your proxy, load balancer, or CDN.

  3. Restart Nginx: After making the changes, restart the Nginx service to apply the configuration:

    sudo systemctl restart nginx

IV. Integrating with Cloudflare, AWS, and Google Cloud

1. Cloudflare

If your Nginx server is behind Cloudflare, you need to use the CF-Connecting-IP header instead of X-Forwarded-For:

set_real_ip_from <Cloudflare_IP_Range>;
real_ip_header CF-Connecting-IP;

Replace <Cloudflare_IP_Range> with the IP address range of your Cloudflare.

Cloudflare provides a list of IP ranges used by their edge servers. You can find the IP ranges on the Cloudflare IP Ranges page.

2. Amazon Web Services (AWS)

When using AWS Elastic Load Balancer (ELB), use the X-Forwarded-For header:

set_real_ip_from <ELB_IP_Range>;
real_ip_header X-Forwarded-For;

Replace <ELB_IP_Range> with the IP address range of your AWS ELB.

AWS publishes IP ranges for various services such as Elastic Load Balancer (ELB), CloudFront, and API Gateway. Refer to the following AWS documentation pages for the IP ranges:

3. Google Cloud

If your Nginx server is behind Google Cloud Load Balancer, use the X-Forwarded-For header:

set_real_ip_from <Google_LB_IP_Range>;
real_ip_header X-Forwarded-For;

Replace <Google_LB_IP_Range> with the IP address range of your Google Cloud Load Balancer.

Google Cloud also offers IP ranges for services like Google Cloud Load Balancer, Compute Engine, and Kubernetes Engine (GKE). Visit the following Google Cloud documentation pages for IP ranges:

By incorporating the Nginx Real IP module and configuring it with the correct IP ranges of your proxy, load balancer, or CDN, you can ensure accurate client IP address logging in your Nginx server logs. This enhances security, access control, and analytics capabilities for your web applications, making it an essential component of your web server setup.