Feature Request: write error logs when detecting duplicate http headers

杨镭 clanherb at gmail.com
Tue Jun 7 19:21:06 MSD 2011


When duplicate http headers occur(e.g., two X-Forwarded-For headers), nginx
will use the first instance silently. This means internal variables like
$http_x_forwarded_for is not entirely *correct,* users have to capture
packets in the network layer to find out the truth. This is a lot of
inconvenient compared to customize log format.

Also, for headers like "X-Forwarded-For", attackers can intentionaly inject
serveral spoofed ip addresses.

Although nginx cannot possibly known which one is more important than the
others, it MAY alert user by logging "duplicated headers detected,
header:value1, value2, ... value N".

Currently, we use nginx-lua module to detect duplicate headers, like:

itable = ngx.req.get_headers()["X-Forwarded-For"]
for k, v in iparis(itable) do
  -- process duplicate header

lei yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20110607/9657e6ab/attachment.html>

More information about the nginx mailing list