Can real_ip_header's behavior be altered slightly?
Michael Shadle
mike503 at gmail.com
Wed Dec 30 03:14:58 MSK 2009
On Tue, Dec 29, 2009 at 4:07 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> The last one is the address added by last proxy. As we trust last
> proxy - we use address added by it.
>
> The first address is the address as it came from client. You
> probably don't want to trust it at all.
>
> If you want to pass original ip address of client through multiple
> proxies - you just need to use real_ip_from / proxy_set_header
> consistently on all proxies in chain.
It appears that the order we're receiving it is from multiple
X-Forwarded-For addresses...
This is from:
corporate network proxy -> CDN -> nginx server
The corporate network proxy passes on an IP in X-Forwarded-For, then
the CDN seems to use X-Forwarded-For as well. nginx seems to get them
but the order is opposite. Are you sure this logic is proper? In this
experience it is actually backwards.
It's not actually a corporate proxy or CDN we have any control over.
We're just inheriting these headers.
More information about the nginx
mailing list