Ad Widget

Collapse

Zabbix Audit Log Behind NGINX Reverse Proxy Shows All Logons from 127.0.0.1

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dieselfluxcapacitor
    Junior Member
    • Jul 2023
    • 11
    #1

    Zabbix Audit Log Behind NGINX Reverse Proxy Shows All Logons from 127.0.0.1

    Background
    I am running the 6.4 Zabbix Frontend on Ubuntu 20.04.
    Code:
    uname -a

Linux 5.4.0-156-generic #173-Ubuntu SMP Tue Jul 11 07:25:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux​
    It is reverse proxied behind an NGINX webserver.
    Code:
    nginx -v

nginx/1.18.0 (Ubuntu)
    Problem
    When I view the Audit Log in the Zabbix frontend, all remote authentication attempts appear to be coming from 127.0.0.1. I understand this is because NGINX is proxying remote HTTPS traffic to http://localhost:8080. Has anyone figured out how to modify their NGINX configuration to properly proxy the correct IP address attribute of the remote machine to the Zabbix frontend?

    Additional Information
    NGINX configuration (with PII scrubbed)
    Code:
    server {
  
        server_name     <URL 1> <URL 2>;
        root /var/www/html;

        # Reverse proxy the Zabbix frontend
        location / {
                proxy_pass http://localhost:8080;
        }

        # Reverse proxy for Grafana
        location /grafana {
                proxy_set_header Host $http_host;
                proxy_pass http://localhost:3000;
        }

        # Proxy Grafana Live WebSocket connections.
        location /grafana/api/live {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $http_host;
                proxy_pass http://localhost:3000;
        }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/.../fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/.../privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}
server {
        server_name     localhost;
        listen  80;

        # Enable the NGINX http_stub_status page so Zabbix can monitor the service
        location /basic_status {

                # Turn on nginx stats
                stub_status on;

                # I do not need logs for stats
                access_log   off;

                # Security: Only allow access from local IP
                allow 127.0.0.1;

                # Send rest of the world to /dev/null #
                deny all;
        }
}
server {
    if ($host = <URL 1>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = <URL 2>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name     <URL 1> <URL 2>;
        listen  80;
    return 404; # managed by Certbot

}​
    1 Photo
    Tags: audit log, frontend, nginx, reverse proxy, zabbix
    • ferimou
      Junior Member
      • Jan 2025
      • 1
      #2
      I have this problem too. My audit log only shows the NGINX reverse proxy IP. I set these proxy headers:
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      But nothing changes.

        Comment

        • cyber
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Dec 2006
          • 4807
          #3
          Get user real ip in nginx behind nginx reverse proxy
          https://ypereirareis.github.io/blog/2017/02/15/nginx-real-ip-behind-nginx-reverse-proxy/
          Behind a reverse proxy, the user IP we get is often the reverse proxy IP itself. But for obvious reasons it's important to have access to the user real ip address.

          I dont know if this gives you complete solution (kind of old link already), but you might get a bit pushed in right direction..

            Comment

            Previous template Next
            Working...