Nginx load balancer not passing original IP address

Question

We are load balancing syslog traffic with nginx, but right now the syslog server sees all events coming from the IP address of the nginx load balancer. How do I have the nginx "proxy_pass" method keep the source IP intact?

nginx.conf (source IP ends up as nginx's)

events {
   worker_connections 1024;
}
stream {
   upstream logstash_servers {
      server logstash-collector-01:514 max_fails=2 fail_timeout=5s;
      server logstash-collector-02:514 max_fails=2 fail_timeout=5s;
   }
   server {
      listen 514;
      proxy_pass logstash_servers;
   }
}

In another answer I found someone used "proxy_bind $remote_addr transparent;" but when I tried that my syslog server received nothing -- uncommenting the line went back to normal (where the source IP was still wrong).

nginx.conf (nothing gets passed to upstream servers):

events {
   worker_connections 1024;
}
stream {
   upstream logstash_servers {
      server logstash-collector-01:514 max_fails=2 fail_timeout=5s;
      server logstash-collector-02:514 max_fails=2 fail_timeout=5s;
   }
   server {
      listen 514;
      proxy_pass logstash_servers;
      proxy_bind $remote_addr transparent;
   }
}

Answer 1

The best answer here is using proxy_bind $remote_addr transparent; after the proxy_pass line to make nginx a transparent proxy and passing on the original IP address. In order for that to work, you must specify user root; in the "main" context (aka top of your nginx.conf, outside of any events{}, stream{}, etc.).

Answer 2

For ip transparency to work you have to make NGINX the default gateway on your upstream server. It's better to pass the original client ip in the X-Forwarded-For header and log that instead.