Backend servers cant see Real users IP's
-
"I always testing from outside"
Tnen you have NO use of nat reflection and it should be OFF!! Setup up our internal name resolution to resolve your fqdn to the internal IPs of either the server directly or your proxy internal IP.
By default ir was off, when I first time setup pfSense and saw problem, then started to digg, then started changing reflection settings. This doesn't make sense to me right now, what is different between domain1.com and subdomain.domain1.com they both pointing to same external IP and every request to port 80 forwarded to proxy.
-
So your saying this does not work from external.. PM me the actual fqdn or post it here.
-
So your saying this does not work from external.. PM me the actual fqdn or post it here.
Ok so here is 2 links who will show you IP, it's simple php remote addr:
1. hdd.lt/php.php
2. dev.prodev.lt -
I get this..
Sure looks like different pages are presented to me
getting back a 404 for your favicon
GET /favicon.ico HTTP/1.1
Host: dev.prodev.lt
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 27 Aug 2016 12:41:39 GMT
-
I get this..
Sure looks like different pages are presented to me
They all point to same server, I can give you another excample
https://prodev.lt/php.php vs http://dev.prodev.lt
They both pointing to same external IP, same server, but dev.prodev.lt reporting proxy IP instead of my external.
-
And what IP is 192.168.2.2 That is not pfsense IP is it?? Your just doing a simple port forward.. pfsense doesn't give 2 shits what about what is in the traffic only that it is to port 80.. Why don't you sniff on pfsense lan IP and validate for yourself. You have a proxy issue.
Is your proxy resolving these internal fqdn??
Maybe your old router was doing nat reflection and your proxy was sending traffic to your wan IP and then getting redirected in, etc.. Which should never happen anyway in a correct setup.
Pfsense doesn't care what the fqdn it sees traffic to 80, it looks in forward and says oh that goes to IPaddress123.. It doesn't look in the packets, it doesn't care if they are looking for domain.tld or host.domain.tld it just sends it to your proxy.. What your proxy does with it is up to the proxy..
Sniff on your wan and see what is happening.. My guess is your proxy is trying to resolve a name and is getting public vs internal and then sending it to your wan and your trying to do nat reflection so yeah traffic looks like it comes from your own proxy IP which is that 2.2 address I assume.
-
And what IP is 192.168.2.2 That is not pfsense IP is it?? Your just doing a simple port forward.. pfsense doesn't give 2 shits what about what is in the traffic only that it is to port 80.. Why don't you sniff on pfsense lan IP and validate for yourself. You have a proxy issue.
Is your proxy resolving these internal fqdn??
192.168.2.2 is a proxy, and proxy upstreaming traffic to internal IP depending on FQDN… very simple config. I will double check latter today.
-
And what IP is 192.168.2.2 That is not pfsense IP is it?? Your just doing a simple port forward.. pfsense doesn't give 2 shits what about what is in the traffic only that it is to port 80.. Why don't you sniff on pfsense lan IP and validate for yourself. You have a proxy issue.
Is your proxy resolving these internal fqdn??
Maybe your old router was doing nat reflection and your proxy was sending traffic to your wan IP and then getting redirected in, etc.. Which should never happen anyway in a correct setup.
Pfsense doesn't care what the fqdn it sees traffic to 80, it looks in forward and says oh that goes to IPaddress123.. It doesn't look in the packets, it doesn't care if they are looking for domain.tld or host.domain.tld it just sends it to your proxy.. What your proxy does with it is up to the proxy..
Sniff on your wan and see what is happening.. My guess is your proxy is trying to resolve a name and is getting public vs internal and then sending it to your wan and your trying to do nat reflection so yeah traffic looks like it comes from your own proxy IP which is that 2.2 address I assume.
Ok this partially make sense, I will get back home and double check nginx (proxy) and post results here.
-
Your web servers are going to see connections coming in from the IP address of the reverse-proxy - no two ways about it.
What you need to do is to configure nginx to add "X-forwarder-for" headers to the headers of incoming connections, and tell your web servers to log the "X-forwarded-for" IP address instead of the actual incoming IP address.
-
^ this makes sense.. Which again as been saying has nothing to do with pfsense at all..
-
Your web servers are going to see connections coming in from the IP address of the reverse-proxy - no two ways about it.
What you need to do is to configure nginx to add "X-forwarder-for" headers to the headers of incoming connections, and tell your web servers to log the "X-forwarded-for" IP address instead of the actual incoming IP address.
You wrong, I'm using nginx real ip module and sending required headers, you don't realise, that IP is already forwarded as shows in my excamples, just this stuff doesnt work in specific subdomain, for all other domains working as expected. Going to check specific vhost maybe there is something wrong or typo or something.
-
If you are forwarding a WAN address to your nginx proxy and have example.com, subdomain1.example.com, and subdomain2.example.com resolving to WAN address, pfSense has zero idea what domain or subdomain your clients are connecting to. It is only looking at IP addresses and ports. It will be behaving exactly the same for all of them.
If that is the case your problem absolutely lies in your proxy.
-
Ok so I managed it, partially you all right but problem is not in proxy server, I needed extra step in backend server (litespeed web server) to complete my task, there is option "Use Client IP in Header" this must be accidentally disabled, I know about this option but was sure that it's set to yes, so it was backend server misc-configuration, not pfSense and not proxy server.
-
Well, whatever. The real point is "it's not pfSense."
And how come this related to Nginx if before everything worked perfectly. I just changed routers…This is definitely pfSense setup problem.
Glad you found it.
