Where does $remote_addr come from?

Paul Nickerson pnickerson at cashstar.com
Mon Feb 6 14:24:37 UTC 2017


B.R.
> I am curious: apart from a training prospective at code digging, what was
the goal?
> In other words, where did you expect the IP address to come from, if not
from a system network socket?

We have NGINX AWS EC2 Instances behind AWS EC2 ELBs, as well as Fastly's
CDN and maybe some custom load balancers, but sometimes an IP address that
we log is not readily identifiable. I was also seeing some configurations
in our setup that suggested we may have been using $remote_addr
incorrectly, in log auditing for example.

So before I verified that and chased the odd IP's, I wanted to make sure
that I understood exactly what $remote_addr refers to. I thought that maybe
it was actually derived from the HTTP header, or maybe a module could be
modifying it without being explicitly configured to do so, or maybe it's
possible for a bad actor to spoof it. Now I know that it's independent of
the HTTP header, one native module and probably some third party modules
can modify it, and a bad actor would need to spoof the TCP IPv4 internet
header's source address.

I admit, I probably could have been reasonably confident in our
configuration without needing to determine this. But I was surprised to
find there was no documentation or past forum posts saying whether this
variable came from the TCP/IP or the HTTP headers. After that, my sense of
technical discovery took over and kept me interested in the problem.

 ~ Paul Nickerson

-- 


*CONFIDENTIALITY NOTICE*

The attached information is PRIVILEGED AND CONFIDENTIAL and is intended 
only for the use of the addressee named above.  If the reader of this 
message is not the intended recipient or the employee or agent responsible 
for delivering the message to the intended recipient, please be aware that 
any dissemination, distribution or duplication of this communication is 
strictly prohibited. If you receive this communication in error, please 
notify us immediately by telephone, delete the message and destroy any 
printed copy of the message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170206/0d134087/attachment.html>


More information about the nginx mailing list