Support

Admin Tools

#38355 Confirming Proper Settings when Behind Load Balancer

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
3.10.5
PHP version
7.4.11
Admin Tools version
6.1.8

Latest post by nicholas on Thursday, 19 January 2023 00:53 CST

Wednesday, 18 January 2023 10:06 CST

[email protected]

I want to begin by saying I've read the documentation. I'm sure many do not, and I can imagine how annoying that is.

That said, there is aΒ lot of information, and I wanted to confirm that I've understood it correctly.

My company has two Windows servers that run our applications, and we have an nginx server used solely to host the Joomla front end. All sit behind a load balancer.

I have not successfully gotten the nginx config to use the X-Forwarded-For header (my experience is with htaccess and web.config). But based on your documentation, it may not be necessary if I enable the global Joomla config "behind load balancer" - is that correct? That's the part that I am unclear about.

Wednesday, 18 January 2023 11:59 CST

nicholas

Your load balancer MUST produce the correct X-Forwarded-For HTTP header which includes the real IP of the remote user. Otherwise, any IP-based feature cannot possibly know the user's real IP address, it will only see the load balancer's IP address.

Fix that first, then enable Joomla's "Behind Load Balancer" feature. What the latter does is that it reports the IP address conveyed through X-Forwarded-For as the user's real IP address (instead of the IP address reported by the web server which is the load balancer's IP address).

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 18 January 2023 12:01 CST

[email protected]

That makes sense. I thought it was too convenient of a solution if I only had to enable the setting in Joomla.

I appreciate the quick reply.

Wednesday, 18 January 2023 12:08 CST

nicholas

Actually, it may be that simple. I think I misread your ticket, misunderstanding that NginX was the load balancer. My bad.

The X-Forwarded-For HTTP header is something that your load balancer is meant to send. You have a separate load balancer which, as far as I can infer from your message, does send that header.

I believe that when you said β€œI have not successfully gotten the nginx config to use the X-Forwarded-For header” you meant setting up NginX itself to honour the X-Forwarded-For header. You don't need to do that. Instead of that, you can simply enable Joomla's "Behind Load Balancer" option.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 18 January 2023 12:15 CST

[email protected]

Interesting. I am by no means an expert on the subject, and I was under the impression the X-Forwarded-For header is set up at the server level. For instance, with the Windows servers I mentioned, I was able to add X-Forwarded-For as a custom header in IIS.

But as I think about this more, maybe you're right. I haven't seen a config in our AWS LB that looks like it deals with X-Forwarded-For, but I will take a closer look.

Wednesday, 18 January 2023 12:23 CST

[email protected]

Okay, you were right!

So I guess I have a different issue that I need to solve. The LB is set to include the X-Forwarded-For header, but for some reason the nginx server doesn't log the IP.

Anyway, at least I have a better idea of where the problem lies. I'll figure it out.

Thanks again.

Thursday, 19 January 2023 00:53 CST

nicholas

> but for some reason the nginx server doesn't log the IP.

Correct! It logs the IP of the last non-transparent network device before your web server, i.e. the load balancer. That's why the load balancer sets the X-Forwarded-For HTTP header, to communicate the real IP of the user without it getting forever lost.

For setting up your logging you may want to do something like this https://djangocas.dev/blog/nginx/nginx-access-log-with-real-x-forwarded-for-ip-instead-of-proxy-ip/

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!