Proxying services with forwarding client IPs

Hi everyone,

This could be a repeated query and honestly I am a newbie to redirects and proxying in general.

Here is our setup for freeCodeCamp.org:

Architectural diagram of freeCodeCamp.org

To be brief, we have three main applications: learn, news and forum.

learn is served from Netlify at the root of the domain and we have other two services which are a ghost and discourse instances respectively behind a NGINX.

Now we are unable to correctly get the true client IP addresses from our NGINX instance, because Netlify reverse proxy on these from its CDN servers. This I understand is expected.

For various reasons we would like to keep the applications at /news and /forum and hence the need for reverse proxy from Netlify.

Here is the _redirects file:

...
/forum/*    https://forum-proxy.freecodecamp.org/forum/:splat 200
/news       https://news-proxy.freecodecamp.org/news/ 200
/news/*     https://news-proxy.freecodecamp.org/news/:splat 200
...

Now we would like to update the _headers file to send the headers like X-Forwarded-For and the X-Real-IP like we used to in our Nginx before moving over to Netlify for the root domain.

Before our move we had yet another NGINX instance that served the static site and forwarded the IP addressed like so the to forum and news NGINX.

# snippet from our previous NGINX config
# add client's IP to proxy request to upstream node servers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

We used to be able to intercept these use them in discourse as needed.

Now the question is:

How do we do this using the headers file? Please note that cloudflare is not an issue here because we see Netlify’s CDN IP addresses so, it needs to be forwarded further to the NGINX instance serving these applications.

Thanks for your time and consideration that I am a fairly new to proxying and rewrites.

Did you use the search before posting?

Yes. With not much idea on the current solutions.

What about reading through our Common Issues?

Yes. Verfied that this is not a common issue.

As you’re aware, we don’t provide tech support for cloudflare fronted sites: [Support Guide] What problems could occur when using Cloudflare in front of Netlify?

This is not a cloudflare issue, so I’ll speak to this as though cloudflare was not involved.

To start with, we don’t provide the IP in a way you can manipulate using the headers functionality; it’s not available AT BUILD TIME which is when you must configure headers. This is in essence a “static” configuration for headers - there is no dynamic “variable substitution” even if we did have that available as a variable.

However, the IP is available in the HTTP headers. While we do reserve the right to change this implementation, you can currently and for the immediate future at least, use the X-Bb-IP header, as shown in this screenshot (generated by testing a proxy route via requestbin.com):

Not sure if your setup can use it, but it’s what’s available, and we don’t intend to make anything else available in the foreseeable future for normal proxy’d requests such as you’re describing.

Hi @fool

Thanks for your fast response on this. I was able to use the header like you mentioned and resolve the issue.

I totally understand that these are non-conventional setups and having Cloudflare adds to the complexity.

That said, your recommendation seems to have fixed our burning fire and we will be working on a more reliable solution that does not depend on this header.

Thanks once again.

@raisedadead can you elaborate how you used the X-Bb-IP with proxy redirect rules?
We’re in the same board now, which Netlify CDN IP getting pushed to CLoudFlare and is giving us the wrong country in the CF provided HTTP_CF_IPCOUNTRY header.

I would like to somehow proxy the x-bb-ip into the x-real-ip header

Our service won’t be able to help with that. You might be able to write a function to handle that, but it’s pretty suboptimal to route ALL of your traffic through a function, so you’ll want to design with some care to prevent excess latency, and charges for high function usage.

1 Like

Hi @altryne, like @fool mentioned this is absolutely not something which you should be doing.

I do not know what you use behind the stack, but for our NGINX setup, I was able to change:

# add client's IP to proxy request to upstream node servers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

to

# add client's IP to proxy request to upstream node servers
proxy_set_header X-Forwarded-For $http_x_bb_ip;
proxy_set_header X-Real-IP $http_x_bb_ip;

Again, this is fragile and is not warranted to work for your needs. We ourselves are moving to a different setup.

1 Like

Sorry to bump this old thread, but just found it while looking for something else, and wanted to mention that you should NOT rely on x-bb-ip - please use the other one x-nf-client-connection-ip which we commit to maintaining; x-bb-ip is an internal implementation detail that will go away sometime soon :slight_smile:

1 Like