Reverse Proxy Security

任晓磊 julyclyde at
Fri Apr 23 07:46:33 MSD 2010

You may choose a unusual Header name.

On Fri, Apr 23, 2010 at 6:09 AM, karmaboy <nginx-forum at> wrote:
> When using nginx as reverse proxy, to determine the actual client IP address I would need to rely on the X-Real-IP header. Since this is just an HTTP header than can be faked, is it possible for a visitor to include an X-Real-IP header value of their own, passing a fake IP to the back-end server? Does nginx always overwrite this value with the one it detects?
> Thx
> Posted at Nginx Forum:,78144,78144#msg-78144
> _______________________________________________
> nginx mailing list
> nginx at

Ren Xiaolei

More information about the nginx mailing list