GeoIP and Nginx
- by JavierMartinez
I have a nginx with geoip, but it is not working rightly. The issue is the next:
Nginx are getting geodata from $_SERVER['REMOTE_ADDR'] instead of $_SERVER['HTTP_X_HAPROXY_IP'], which have the real client ip. So, the reported geodata belongs to my server ip instead of client ip.
Does anybody where could be the error to fix it?
Nginx version and compiled modules:
nginx -V
nginx version: nginx/1.2.3
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log- path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-file-aio --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_secure_link_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-auth-pam --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-echo --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-upstream-fair --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-dav-ext-module --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-syslog --add-module=/usr/src/nginx/source/nginx-1.2.3/debian/modules/nginx-cache-purge
nginx site conf (frontend machine)
server {
root /var/www/storage;
server_name ~^.*(\.)?mydomain.com$;
if ($host ~ ^(.*)\.mydomain\.com$) {
set $new_host $1.mydomain.com;
}
if ($host !~ ^(.*)\.mydomain\.com$) {
set $new_host www.mydomain.com;
}
add_header Staging true;
real_ip_header X-HAProxy-IP;
set_real_ip_from 10.5.0.10/32;
location /files {
expires 30d;
if ($uri !~ ^/files/([a-fA-F0-9]+)_(220|45)\.jpg$) {
return 403;
}
rewrite ^/files/([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9][a-fA-F0-9])([a-fA-F0-9]+)_(220|45)\.jpg$ /files/$1/$2/$3/$4/$1$2$3$4$5_$6.jpg break;
try_files $uri @to_backend;
}
location /assets {
if ($uri ~ ^/assets/r([a-zA-Z0-9]+[^/])(/(css|js|fonts)/.*)) {
rewrite ^/assets/r([a-zA-Z0-9]+[^/])/(css|js|fonts)/(.*)$ /assets/$2/$3 break;
}
try_files $uri @to_backend;
}
location / {
proxy_set_header Host $new_host;
proxy_set_header X-HAProxy-IP $remote_addr;
proxy_pass http://10.5.0.10:8080;
}
location @to_backend {
proxy_set_header Host $new_host;
proxy_pass http://10.5.0.10:8080;
}
}
nginx.conf (backend machine)
http{
...
##
# GeoIP Config
##
geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
...
}
fastcgi_params (backend machine)
### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;
haproxy.conf (frontend machine)
defaults
log global
option forwardfor
option httpclose
mode http
retries 3
option redispatch
maxconn 4096
contimeout 100000
clitimeout 100000
srvtimeout 100000
listen cluster_webs *:8080
mode http
option tcpka
option httpchk
option httpclose
option forwardfor
balance roundrobin
server backend-stage 10.5.0.11:80 weight 1
$_SERVER dump: http://paste.laravel.com/7dy
Where 10.5.0.10 is frontend private ip and 10.5.0.11 backend private ip