mdounin at mdounin.ru
Tue Aug 16 12:39:11 UTC 2011
On Tue, Aug 16, 2011 at 12:46:11PM +0300, Anatoli Marinov wrote:
> Hello mates,
> I tried readip_module and I found it does not work as I expect.
> For example the header may looks like this:
> X-Forwarded-For: client1, proxy1, proxy2
> Where client1 should be the real ip address of the client, proxy1
> should be the first proxy after the client and proxy2 should be the
> last proxy after the client and the first before the nginx. Nginx
> has the connection with proxy2.
If request flow looks like
client1 -> proxy1 -> proxy2 -> nginx
(that is, nginx sees a connection from proxy2) X-Forwarded-For
header will be "client1, proxy1". The address added by proxy2 is
"proxy1". If we trust proxy2 - we may only use "proxy1" as a
client address, everything else isn't trusted.
> I think In this case readip_module should return client1 ip address.
> It returns the latest address in the field - proxy2.
> What do you think? Is the behaviour wrong or I do not understand the
> meaning of this header?
Right now nginx is only able to took *one* address, the one which
was added by a trusted proxy which connected to nginx.
As X-Forwarded-For contains chain of addresses, it's possible
to pick first untrusted address. That is, in the above case we
may pick "client1" if we trust both proxy2 and proxy1. This is
not currently done, see http://trac.nginx.org/nginx/ticket/2.
More information about the nginx-devel