Proxying services with forwarding client IPs

Hi everyone,

This could be a repeated query and honestly I am a newbie to redirects and proxying in general.

Here is our setup for freeCodeCamp.org:

Architectural diagram of freeCodeCamp.org

To be brief, we have three main applications: learn, news and forum.

learn is served from Netlify at the root of the domain and we have other two services which are a ghost and discourse instances respectively behind a NGINX.

Now we are unable to correctly get the true client IP addresses from our NGINX instance, because Netlify reverse proxy on these from its CDN servers. This I understand is expected.

For various reasons we would like to keep the applications at /news and /forum and hence the need for reverse proxy from Netlify.

Here is the _redirects file:

...
/forum/*    https://forum-proxy.freecodecamp.org/forum/:splat 200
/news       https://news-proxy.freecodecamp.org/news/ 200
/news/*     https://news-proxy.freecodecamp.org/news/:splat 200
...

Now we would like to update the _headers file to send the headers like X-Forwarded-For and the X-Real-IP like we used to in our Nginx before moving over to Netlify for the root domain.

Before our move we had yet another NGINX instance that served the static site and forwarded the IP addressed like so the to forum and news NGINX.

# snippet from our previous NGINX config
# add client's IP to proxy request to upstream node servers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

We used to be able to intercept these use them in discourse as needed.

Now the question is:

How do we do this using the headers file? Please note that cloudflare is not an issue here because we see Netlify’s CDN IP addresses so, it needs to be forwarded further to the NGINX instance serving these applications.

Thanks for your time and consideration that I am a fairly new to proxying and rewrites.

Did you use the search before posting?

Yes. With not much idea on the current solutions.

What about reading through our Common Issues?

Yes. Verfied that this is not a common issue.

As you’re aware, we don’t provide tech support for cloudflare fronted sites: [Common Issue] Why isn’t my SSL certificate provisioning automatically with Cloudflare & Netlify? Are there other problems with using Cloudflare in front of Netlify?

This is not a cloudflare issue, so I’ll speak to this as though cloudflare was not involved.

To start with, we don’t provide the IP in a way you can manipulate using the headers functionality; it’s not available AT BUILD TIME which is when you must configure headers. This is in essence a “static” configuration for headers - there is no dynamic “variable substitution” even if we did have that available as a variable.

However, the IP is available in the HTTP headers. While we do reserve the right to change this implementation, you can currently and for the immediate future at least, use the X-Bb-IP header, as shown in this screenshot (generated by testing a proxy route via requestbin.com):

Not sure if your setup can use it, but it’s what’s available, and we don’t intend to make anything else available in the foreseeable future for normal proxy’d requests such as you’re describing.

Hi @fool

Thanks for your fast response on this. I was able to use the header like you mentioned and resolve the issue.

I totally understand that these are non-conventional setups and having Cloudflare adds to the complexity.

That said, your recommendation seems to have fixed our burning fire and we will be working on a more reliable solution that does not depend on this header.

Thanks once again.