[PATCH] Improve X-Forwarded-For handling in realip

Omar Kilani omar.kilani at gmail.com
Thu Dec 2 06:31:19 MSK 2010

Hi Michael,

You should be able to get a list of subnets from your CDN, which you
can add to 'set_real_ip_from'. This way, you'll get the first
untrusted IP in the chain -- the scan works backwards, so even if your
XFF looked like:

X-Forwarded-For: proxy1 proxy2 client1

You'll get 'client1' if you add 'proxy1' or 'proxy2' to 'set_real_ip_from'.

And if your XFF looked like:

X-Forwarded-For: client1 proxy1 proxy2

You'll get 'client1' too -- hence the patch. :)


On Thu, Dec 2, 2010 at 2:26 PM, Michael Shadle <mike503 at gmail.com> wrote:
> On Wed, Dec 1, 2010 at 7:23 PM, Omar Kilani <omar.kilani at gmail.com> wrote:
>> The problem is that nginx doesn't do the "first IP in the header which
>> is not trusted" part -- it always returns the last IP in the
>> X-Forwarded-For header, no matter what.
> we have an issue where our CDN gives us the reverse XFF header - we
> really want the LAST ip, not the first one (or vice versa) and nginx
> gives us the first one which doesn't help :(
> making the realip behavior more configurable gets a big +1 from me.
> not sure if this is as configurable as it could be though.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list