Feature Request: write error logs when detecting duplicate http headers

Justin Cormack justin at specialbusservice.com
Wed Jun 8 15:02:39 MSD 2011

On Tue, Jun 7, 2011 at 4:21 PM, 杨镭 <clanherb at gmail.com> wrote:

> Hi:
> When duplicate http headers occur(e.g., two X-Forwarded-For headers), nginx
> will use the first instance silently. This means internal variables like
> $http_x_forwarded_for is not entirely *correct,* users have to capture
> packets in the network layer to find out the truth. This is a lot of
> inconvenient compared to customize log format.
> Also, for headers like "X-Forwarded-For", attackers can intentionaly inject
> serveral spoofed ip addresses.
> Although nginx cannot possibly known which one is more important than the
> others, it MAY alert user by logging "duplicated headers detected,
> header:value1, value2, ... value N".
It is not a matter of "knowing which is more important", the spec is clear
which headers can be repeated and which are invalid, and for this header
repeating it is invalid. You should make sure you filter any headers you are
using internally like X-Forwarded-For anyway as a security measure...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20110608/f0cf0b6d/attachment.html>

More information about the nginx mailing list