[graylog2] nginx reverse proxy messing up gl2_remote_ip

Mon, 26 Sep 2016 01:50:36 -0700 

Hi,

we're using nginx as reverse proxy in front of our graylog server. This 
works fine beside logging the clients IP address.
Following rule adds the IP address to our GELF http input:

rule "add ip"
when
    true
then
    set_field("ip", to_ip($message.gl2_remote_ip));
end

If we post data to the input-ip / port combination (http://<*ip>*:*12202*/gelf) 
it works as expected.

We configured our nginx as reverse proxy as follows:

server {
   listen 443 ssl;
   server_name log-input.server-name.de;

   ssl_certificate_key /etc/ssl/server.key;
   ssl_certificate /etc/ssl/server.crt;

   error_log /var/log/nginx/error.log debug;

   location / {
       proxy_pass http://127.0.0.1:12202;
       proxy_redirect off;

       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Host   $host:443;

       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-Port   443;
       proxy_set_header X-Forwarded-Proto  https;
       proxy_set_header X-Scheme $scheme;

       # testing remote addr combinations
       proxy_set_header REMOTE_ADDR $remote_addr;
       proxy_set_header Remote_Addr $remote_addr;
       # /testing remote addr combinations

       proxy_pass_request_headers on;
       proxy_connect_timeout 150;
       proxy_send_timeout 100;
       proxy_read_timeout 100;
       proxy_buffers 4 32k;
       client_max_body_size 8m;
       client_body_buffer_size 128k;
   }
}



Unfortunately the logging result with post-requests to 
*https://log-input.<server-name>.de/gelf* shows 127.0.0.1 as IP address, 
instead of the real client *$remote_addr*.
The activated debug log (*/var/log/nginx/error.log*) shows the IP address 
correctly. It seems that *gl2_remote_ip* does not handle HTTP headers as 
expected. 

Has someone a solution for our problem?

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/ec4d001e-fac6-4b23-9d09-b15ac9583aae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to