I have an external load balancer (aws ELB) directing traffic to my discourse server. I have verified the X-Forwarded-For headers are being sent, but for some reason all the user ips show up as the load balancer ip?
Is this a bug or is there some setting I am missing?
I’d say you’re missing the nginx setting to “trust” the IP address that is making the connection, so the XFF header is ignored. The setting name is set_real_ip_from; grovel around in your nginx config(s) to see what (if anything) it’s currently set to, and season to taste.
Oh sweet jeebers, don’t do that. It’ll allow anyone who can manage to get a HTTP connection into your servers to spoof their IP address, which will only lead to trouble. Set it to the IP range of your VPC, instead.