Forum Discussion
Nginx as Reverse Proxy
You seem to have a NAT device (router/firewall) or another proxy before the NGINX.
If it is another proxy as this is easily solvalble with F5 with and universal persistance using the XFF header (https://community.f5.com/t5/technical-forum/enable-source-ip-persistence-based-on-x-forwarded-ip-info/td-p/98748) but with nginix you may need to see if you can set the real client ip address to be based on XFF and then see if ip_hash will work as it should or try other methods like "hash" or "consistent_hash" based on the value of the XFF header.
https://www.loadbalancer.org/blog/nginx-and-x-forwarded-for-header/
http://nginx.org/en/docs/http/ngx_http_upstream_module.html#sticky
https://www.nginx.com/resources/wiki/modules/consistent_hash/
Other than that try maybe least_connections load balancing with session cookie:
https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/
https://www.nginx.com/products/nginx/load-balancing/#session-persistence
The is another persistance if you do not decrypt the SSL traffic that ssl session persistance by SSL session ID F5 supports this and I do not think Nginx does.
Hi, Thanks for your reply.
Since it is Nginx Open source hence unable to use "consistent_hash" directive (it gives error " unknown directive "consistent_hash" ). Also we checked at the LB end and the client IP address are getting passed from LB via X-Forwarded-For header. We tried configuring the same in nginx config file but still the issue persist.Can you kindly let us know if there are any configuration issues or are we missing something?
Here is my configuration,
upstream tomcat{
ip_hash;
server 192.168.x.y:8080;
server 192.168.x.y+1:8080;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent" "$http_x_forwarded_for"'
'--"$proxy_add_x_forwarded_for"--';
server {
listen 192.168.a.b:80;
server_name example.com www.example.com;
access_log /var/log/nginx/access.log main;
client_max_body_size 5120M;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "strict-origin";
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://tomcat;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $http_x_forwarded_for;
}
##where 192.168.x.y , 192.168.x.y+1 ##are the application servers.
##And
##192.168.a.b:80 is the Nginx server ##running on port 80
The Sample of output log comes like below
10.*.*.* - - [20/Jun/2022:19:43:17 +0530] "GET /x/x/x/x HTTP/1.1" 302 154 "https://x.x.x.x/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36" "117.x.x.x%2"
10.*.*.* - - [20/Jun/2022:19:43:17 +0530] "GET /x/x/x/x HTTP/1.1" 302 154 "https://x.x.x.x/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36" "49.x.x.x%2"
where 10.*.*.* is the IP of the LB and 117.x.x.x, 49.x.x.x are the client IPs.
10.*.*.* remains same in all the subsequent access log.
Alot thanks!!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com