One of the more difficult things I come across when configuring reverse proxies and backend servers is ensuring the client/remote IP is translated correctly to the backend server. Often times, my initial config shows the client/remote IP to be the one of my reverse proxy - an RFC1918 address. That sure isn't helpful for auditing where requests are coming from.
Here's a list of
set_real_ip_from 1.2.3.4 (ip of reverse proxy)proxy_set_header X-Forwarded-For $remote_addrproxy_set_header X-Real-IP $remote_addr;When proxy'ing traffic for a backend server that uses HTTPS/TLS with a self-signed cert, do one of the following:
proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
-OR-
proxy_ssl_verify off;
proxy_ssl_verify_depth 2;
This is my default rev-proxy configuration - it has worked with 99% of the apps I've come across.
server {
server_name host.example.com;
listen 443 http2 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://172.16.32.64:8080/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
add_header Strict-Transport-Security "max-age=15552000;";
}
}