How to configure Nginx to read real IP address from who request - kdaisho/Blog GitHub Wiki
The location of the access log in Nginx
/var/log/nginx/access.log
Using tail command you can keep reading incoming access for last 20 lines.
sudo tail -n 20 /var/log/nginx/access.log
But by default, I wasn't able to read real IP addresses from client. Here's the possible reasons:
You weren’t able to read the real IP address before configuring Nginx because of how proxying and IP forwarding works, particularly with services like Cloudflare.
Here’s a breakdown of what happened:
Proxy Servers in Between:
When you use Cloudflare (or any other reverse proxy), the request from the client (e.g., your browser) doesn’t go directly to your server. Instead, Cloudflare acts as an intermediary, handling the request first and then forwarding it to your server. Cloudflare, in this case, sends the client's real IP address to your server via the X-Forwarded-For header. However, by default, Nginx logs the IP of the proxy server (Cloudflare's IP in this case) because that’s the direct source of the request. Nginx Configuration:
By default, Nginx reads the direct source IP of the request (in this case, Cloudflare’s IP) and logs that. It doesn’t automatically look at the X-Forwarded-For header where the real IP is stored. Missing Real IP Handling:
You needed to configure Nginx to trust the IPs that forward the real client IP (set_real_ip_from), and tell it to use the X-Forwarded-For header (real_ip_header) to get the actual IP address of the client. Without this configuration, Nginx would continue logging Cloudflare's IP (or whichever proxy IP is being used), not the original client’s IP. Cloudflare's Role:
Cloudflare forwards the real IP of the client in the X-Forwarded-For header. But you need to tell Nginx to look at that header, trust Cloudflare’s IP as the source, and use it instead of the default behavior of logging the proxy's IP.
Solution
Configure the server block file
Add these snippets to a server block file for the web app (I picked brailler.daishodesign.com)
The server block files are here: /etc/nginx/sites-available/
Add this block,
# Set real IP handling
set_real_ip_from 0.0.0.0/0; # Trust all IPs (or restrict to Cloudflare IPs)
real_ip_header X-Forwarded-For;
real_ip_recursive on;
And this line.
# Log the IP in the access log (using the format from nginx.conf)
access_log /var/log/nginx/access.log combined;
So the entire file would look like this:
server {
listen 80;
listen [::]:80;
# root /var/www/brailler.daishodesign.com/build/client;
root /var/www/brailler.daishodesign.com;
index index.html index.htm;
server_name brailler.daishodesign.com;
# Set real IP handling
set_real_ip_from 0.0.0.0/0; # Trust all IPs (or restrict to Cloudflare IPs)
real_ip_header X-Forwarded-For;
real_ip_recursive on;
location / {
# try_files $uri $uri/ =404;
proxy_pass http://localhost:8895;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
# Log the IP in the access log (using the format from nginx.conf)
access_log /var/log/nginx/access.log combined;
}
}
AI suggested to configure nginx.conf file (/etc/nginx/nginx.conf) as well, but it turned out I didn't need to.
Restart Nginx
After those changes, reload nginx. You will see errors if any.
sudo nginx -s reload
Then restart nginx.
sudo systemctl restart nginx
Now you will see the real IP. Tail the access file then open the web app on your browser. You'll see your location IP. (Check using What's my IP service)
sudo tail -f /var/log/nginx/access.log