Reverse proxies typically pass the clients IP address by adding additional headers to the request. There is a new standard (RFC7239) called the Forwarded header, but not many proxies or servers have support for this, most use the old defacto standard of X-Forwarded-For.
So, you need to configure nginx to add an X-Forwarded-For header, and you also need to configure the pebble server to read the X-Forwarded-For header. To configure nginx: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Now pebble doesn't out of the box support using the X-Forwarded-For header, but the server you run it on may. If you run it on tomcat for example, you can use the remote IP valve in your tomcat server configuration: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html On 18 October 2015 at 00:03, Olaf Kock <[email protected]> wrote: > Hi Ant, > > I'm not sure about nginx, but this frequently happens with Apache as well. > I can tell you how to fix it there, you'll have to do the "translation" to > nginx yourself... > > When you forward from Apache to (e.g.) tomcat through HTTP, you're > creating a new HTTP request on Apache, legitimately this comes from > 127.0.0.1. Typically this also looses the original Hostname (as it only > carries whatever Apache needs to access your tomcat instance). Also tomcat > believes it's serving content on port 8080 and generates URLs according to > this. > > One way to fix it is to forward not through HTTP but through AJP - on > Apache mod_jk is an option. > > There are numerous options that carry the original request's properties > forward to tomcat, signalling to tomcat that it's behind a proxy. > "ProxyPreserveHost On" is one of them, so that Tomcat gets an idea of the > original Hostname. There's certainly one that forwards the original host's > IP, I'm suspecting something similar to "x-forwarded-for", a typical proxy > header. > > Sorry, not a full solution, but maybe enough food for thought to get you > onto the right track. Please report back with the solution if this has > helped finding it. Or report back if it hasn't - maybe someone else has the > setup ready to go and can share as well. > > Cheers, > Olaf > > > Am 15.10.2015 um 22:12 schrieb Ant Kutschera: > > Hi, > > I have come across an interesting problem when pebble is deployed behind a > reverse proxy (e.g. nginx). > > If I log in to my blog and post a comment, then 127.0.0.1 is added to the > whitelist, because pebble sees the request coming from localhost (the > reverse proxy) rather than from the internet. That then opens up my blog > for anyone in the world to create a comment, because when they do, it too > is viewed as coming from localhost, which is now on the whitelist :-) > > Either I have nginx setup wrong, and it should be passing pebble the > outside IP address (help please?) or this is a bug/feature-request in > pebble. > > Has anyone else had this problem? I using Pebble 2.4. > > Thanks, > Ant > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Pebble-user mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/pebble-user > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Pebble-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/pebble-user > >
------------------------------------------------------------------------------
_______________________________________________ Pebble-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/pebble-user
