Behavior of realip module with this config
mdounin at mdounin.ru
Fri Feb 10 12:33:35 UTC 2017
On Thu, Feb 09, 2017 at 05:49:13PM -0500, Paul Nickerson wrote:
> I've got the config below. I don't have these settings reconfigured
> anywhere else. My understanding is that no matter anything else at all
> anywhere else, and no matter whether the X-Forwarded-For field in the HTTP
> header has one or multiple IP addresses, or isn't even present,
> $remote_addr will not be altered.
> set_real_ip_from 0.0.0.0/0;
> real_ip_header X-Forwarded-For;
> real_ip_recursive on;
> From what I read, "real_ip_recursive on" means that $remote_addr can only
> be set to an IP address that is not in the range set by set_real_ip_from.
> And since that's 0.0.0.0/0, there is no IP that can meet this requirement.
> Am I correct in my analysis?
CIDR 0.0.0.0/0 means 0.0.0.0 - 255.255.255.255, so any IP address
is allowed to change the IP via X-Forwarded-For. You can find
more information about CIDR notation here:
And real_ip_recursive switched on means that this happens
recursively. As a result, with the configuration in question
nginx will use the first address in X-Forwarded-For provided, if
any (assuming all addresses are valid).
Note that "set_real_ip_from 0.0.0.0/0" makes client's address as
seen by nginx easily spoofable by any client, and it is generally
a bad idea to use it in production.
More information about the nginx