$realip_remote_addr

Description

The $realip_remote_addr variable is designed to retrieve the actual remote IP address of a client when NGINX is configured to operate behind a proxy or load balancer. This scenario often arises when the client connects to an intermediary server, making it difficult to ascertain the original client's IP address from standard connection methods. NGINX effectively handles this situation by using the X-Real-IP or X-Forwarded-For HTTP headers, which are common standards for passing on the originating IP address. When NGINX receives a request, it checks these headers in the specified order, and if an IP address is found in one of these headers, it sets the $realip_remote_addr variable to that value. If the headers are absent, the variable defaults to the direct client IP address as seen from NGINX's perspective. Correctly interpreting this variable usually requires proper configuration of both the upstream proxy settings and the headers used to pass along the client IPs. This ensures that the correct information is displayed and logged, leading to more accurate data and security measures. Typically, the value of $realip_remote_addr reflects either the actual remote IP address of the client making the request or falls back to the last known IP address if the original cannot be resolved. It is especially relevant in scenarios involving multiple layers of networks, enhancing both logging and access control capabilities by providing accurate client identification.

Config Example

http {
    set_real_ip_from 192.0.2.0/24; # Allow this range to set the real IP
    real_ip_header X-Forwarded-For;   # Specify the header to use

    server {
        listen 80;
        location / {
            # Access can be logged with the original client's IP
            access_log /var/log/nginx/access.log main;
        }
    }
}