Forward IP Addresses with NGINX Proxy

I love nginx. I love how its lightweight, does what it does well and is extremely fast. Nginx has the ability to perform server blocks (virtual hosts in Apache) which is great, though causes problems when having to forward IP addresses within its proxy headers. There is a solution.

Off-topic: This year ASIC blocked 250000 websites because its blacklisted websites based on their IP addresses instead of their domain name as they were running Virtual Hosts/Server Blocks! Quite a blunder when you get people that don't know how the Internet works to regulate it. Read it here. Take a stand against things like this - see what you can do at as Australia plans to track and record your online movements (even physical moments on your mobile devices!).

Edit the proxy configuration

First thing is to edit your proxy server block located on the proxy server. Here's what mine basically looks like:

## redirect to https
server {
  listen      80 default_server;
  return 301;

## redirect www prefix to https
server {
  listen      80;
  return 301;

server {
  #listen 80;
  listen 443 ssl default_server;
  ssl_certificate /etc/nginx/ssl/;
  ssl_certificate_key /etc/nginx/ssl/;

  location / {
    proxy_set_header  Host $host;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  X-Forwarded-Host $remote_addr;

It's very important to include these three lines:

  • Host: name and port of the proxied server.
  • X-Real-IP: sends the visitor's IP address to your virtual host
  • X-Forwarded-For: sends the visitor's IP address to your virtual host

Edit your proxied server configuration

Now on your proxied server's configuration you'll need to include three importants lines within the server block, but outside of any location blocks.

server {
    #other junk here blah blah
    real_ip_header X-Real-IP;
    real_ip_recursive on;

    location / {
       #some junk here

The three lines are:

  • setrealip_from: this tells nginx to grab the real visitor's IP from any proxy server within this range. This can also be a static IP address such as
  • realipheader: nginx will pick out the client's IP address from the addresses its given
  • realiprecursive: the proxy server's IP is replaced by the visitor's IP address

Example - I'm gonna the forward IP addresses

The reason I posted this was because on this site, comments left by you guys were shown as coming from my proxy server (, hiding everyone's IP address behind my own proxy server. Take a look

proxy comments

Now with the changes above...

comments work

The forwarded IP addresses is no longer my proxy server :smile:

Thanks to Nick M from Server Fault. I literally searched this for a whole hour and I'm just expanding on what he's provided already.