drag

This is a tutorial on how to forward connections from Nginx to httpd in CentOS.

First of all, you have to edit the Nginx configuration file for the domain you want to forward.

vim /etc/nginx/conf.d/example.domain.conf

server {

server_name example.net; # your domain name

location / {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header Host $host;

proxy_pass http://127.0.0.1:8080;

}

Now Nginx is ready. The next thing you have to do is set up your httpd configuration so it listens on port 8080, because Nginx will forward all connections to your domain to port 8080.

vim /etc/httpd/conf/httpd.conf

Listen 127.0.0.1:8080

The forwarding should already work now, however there is still a problem.

Httpd does not yet handle the forwarded header information, so all connections to httpd stem from localhost.

To fix this you have to install an additional httpd module:

yum install mod_extract_forwarded

To configure this module you need a _mod_extractforwarded.conf file in your /etc/httpd/conf.d directory.

The file should contain:

[spoiler effect=”simple”]LoadModule extract_forwarded_module modules/mod_extract_forwarded.so

# MEForder can have either of two value ‘refuse,accept’ or ‘accept,refuse’ and
# specifies the order in which the information in two associated directives,
# MEFaccept and MEFrefuse, are intepreted. The MEFaccept and MEFrefuse
# directives are each used to spcifiy one or more IP numbers.

MEForder refuse,accept

# MEFrefuse can be ‘all’ OR a list of IP numbers and/or domain names of trusted
# proxy servers whose IP number can be derived by DNS from the domain name.
# The presence of ‘all’ overrides any particular IP numbers and means that no
# proxy servers are to be trusted. Individual IP numbers mean that those proxy
# servers having them are not to be trusted. This defaults to ‘all’.

MEFrefuse all
MEFaccept 127.0.0.1
# MEFaccept can be ‘all’ OR a list of IP numbers and/or domain names of trusted
# proxy servers whose IP number can be derived by DNS from the domain name.
# The presence of ‘all’ overrides any particular IP numbers and means that all
# proxy servers are to be trusted.
# Individual IP numbers mean that those the proxy servers having them are to be
# trusted. This defaults to an empty list of trusted IP numbers.

# MEFaccept 1.2.3.4 1.2.3.5

# Normal mode of use is to say:
#
# MEForder refuse,accept
# MEFrefuse all
# MEFaccept
#
# with the MEForder directive saying apply the MEFrefuse rule first then the
# MEFaccept rule.
# The MEFrefuse rule says do not trust any proxy servers but this is selectively
# overridden for particular IP numbers listed by the MEFaccept directive.

# MEFaddenv can be ‘off’, ‘on’ (the default) or a string. ‘off’ means that when
# spoofing, do not add an environment variable whose value is the IP number of
# the connecting machine. ‘on’ means that when spoofing, add an environment
# variable called ‘MEF_RPROXY_ADDR’ whose value is the IP number of the
# connecting machine.
# A string means that when spoofing, add an environment variable named by the
# string supplied whose value is the IP number of the connecting machine.

MEFaddenv on

# MEFdebug can be ‘on’ or ‘off’ (the default). When turned ‘on’ information
# about how the mod_extract_forwarded module is processing every request to your
# Apache 2 server, and any associated internal redirects or subsrequests, is
# written to the server’s error_log.
# The amount of output written and the way it is generated is such that you
# would never normally want to turn this feature on.
# This feature is intended for debugging operation of the mod_extract_forwarded
# module and it is unlikely you will want to do that.

MEFdebug off

[/spoiler]

 

The approach differs slightly from other distributions like Debian. You can find a tutorial for Debian here: http://zeldor.biz/2011/01/nginx-apache2-real-ip/