Can real_ip_header's behavior be altered slightly?
mdounin at mdounin.ru
Wed Dec 30 03:29:22 MSK 2009
On Tue, Dec 29, 2009 at 04:14:58PM -0800, Michael Shadle wrote:
> On Tue, Dec 29, 2009 at 4:07 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > The last one is the address added by last proxy. As we trust last
> > proxy - we use address added by it.
> > The first address is the address as it came from client. You
> > probably don't want to trust it at all.
> > If you want to pass original ip address of client through multiple
> > proxies - you just need to use real_ip_from / proxy_set_header
> > consistently on all proxies in chain.
> It appears that the order we're receiving it is from multiple
> X-Forwarded-For addresses...
> This is from:
> corporate network proxy -> CDN -> nginx server
> The corporate network proxy passes on an IP in X-Forwarded-For, then
> the CDN seems to use X-Forwarded-For as well. nginx seems to get them
> but the order is opposite. Are you sure this logic is proper? In this
> experience it is actually backwards.
> It's not actually a corporate proxy or CDN we have any control over.
> We're just inheriting these headers.
Well, as long as you have no control over proxies in chain - you
probably want to iterate over addresses in X-Forwarded-For from
last to first until you find one which isn't trusted. This isn't
something nginx is able to do right now.
More information about the nginx