Discourse reports user ips as the load balancer


(Nhumrich) #1

I have an external load balancer (aws ELB) directing traffic to my discourse server. I have verified the X-Forwarded-For headers are being sent, but for some reason all the user ips show up as the load balancer ip?

Is this a bug or is there some setting I am missing?


(Jeff Atwood) #2

I know @mpalmer knows a lot about this. Any advice, Matt?


(Matt Palmer) #3

I’d say you’re missing the nginx setting to “trust” the IP address that is making the connection, so the XFF header is ignored. The setting name is set_real_ip_from; grovel around in your nginx config(s) to see what (if anything) it’s currently set to, and season to taste.


(Nhumrich) #4

Thanks, found the solution here: Amazon Elastic Load Balancer and Forwarding Real-IP Nginx - EasyEngine

basically, add the following to the http section in nginx.conf

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

(Matt Palmer) #5

Oh sweet jeebers, don’t do that. It’ll allow anyone who can manage to get a HTTP connection into your servers to spoof their IP address, which will only lead to trouble. Set it to the IP range of your VPC, instead.


(Nhumrich) #6

oh ya, I know that much, I just didnt want to post my range to the public :wink:


(Matt Palmer) #7

Sure, but will everyone else who finds this topic and copies your example know that?


(Jeff Atwood) #8

Well, they’ll surely scroll down and see your reply just under it, though? I suspect yes.


(Matt Palmer) #9

That’s why I made my reply.