Chapter 4[ 87 ]When HTTP error code 401 is configured to be served from an error_
page, the authentication will not complete. You may want to do this in
situations when the authentication backend is offline, for maintenance
or other reasons, but you should otherwise avoid them.Determining the client's real IP address
When using a proxy server, the clients don't have a direct connection to the upstream
servers. The upstream servers, therefore, aren't able to get information directly from
those clients. Any information, such as the client's IP address, would need to be
passed via headers. NGINX provides this with the proxy_set_header directive:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;The client's IP address will then be available in both the X-Real-IP and
X-Forwarded-For headers. The second form takes a client request header into
account. If present, the IP address of the request will be added to the X-Forwarded-
For header from the client, separated by a comma. Depending on your upstream
server configuration, you will need one or the other of these. Configuring Apache,
for example, to use the X-Forwarded-For header for the client's IP address in its logs
is done using the %{
The following example shows how to change the default 'combined' Apache
log format:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combinedIf your upstream server, on the other hand, requires a non-standard header such as
Client-IP, then this can easily be configured with the following:
proxy_set_header Client-IP $remote_addr;Other information, such as the Host header, can be passed to the upstream servers
in the same manner:
proxy_set_header Host $host;