Reverse Proxy Security
nginx-forum at nginx.us
Fri Apr 23 02:09:28 MSD 2010
When using nginx as reverse proxy, to determine the actual client IP address I would need to rely on the X-Real-IP header. Since this is just an HTTP header than can be faked, is it possible for a visitor to include an X-Real-IP header value of their own, passing a fake IP to the back-end server? Does nginx always overwrite this value with the one it detects?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,78144,78144#msg-78144
More information about the nginx