Behavior of realip module with this config

Paul Nickerson pnickerson at
Fri Feb 10 15:20:01 UTC 2017

On Fri, Feb 10, 2017 at 7:33 AM, Maxim Dounin wrote:
> And real_ip_recursive switched on means that this happens
> recursively.  As a result, with the configuration in question
> nginx will use the first address in X-Forwarded-For provided, if
> any (assuming all addresses are valid).
> Note that "set_real_ip_from" makes client's address as
> seen by nginx easily spoofable by any client, and it is generally
> a bad idea to use it in production.

Thank you for the reply, Maxim. "set_real_ip_from" does indeed
seem like a bad idea in production. Thank you for calling that out.

I am confused by this statement in the documentation:
"If recursive search is enabled, the original client address that matches
one of the trusted addresses is replaced by the last non-trusted address
sent in the request header field."

The language "last non-trusted address" suggests that NGINX looks for
something in real_ip_header which does not match set_real_ip_from. But
maybe I am interpreting that incorrectly.

If set_real_ip_from were set correctly to the host's content delivery
network, load balancer, and reverse proxy infrastructures, then my
interpretation would make sense, as $remote_addr would then get set to the
client's public IP, even if the client has network address translation and
forward proxy infrastructures which append to X-Forwarded-For. But in your
answer, wouldn't $remote_addr be set to the client's private IP address if
their firewall/gateway adds that private IP address to X-Forwarded-For
while it does the NATing? That doesn't seem very useful.

This is an example situation I'm thinking of (all the IPs are random, and
are the IPs "facing" NGINX):

real_ip_header X-Forwarded-For;
real_ip_recursive on;

client's computer ( > client's gateway ( > my
content delivery network ( > my load balancer ( > my

X-Forwarded-For =,,

I think in your answer, $remote_addr would be set to, while in
my interpretation, it would be set to And in either case,
$realip_remote_addr is

It would be a strangely configured client gateway / firewall / NAT / proxy
that adds to X-Forwarded-For, but it can happen.

I guess I am still confused.

 ~ Paul Nickerson



The attached information is PRIVILEGED AND CONFIDENTIAL and is intended 
only for the use of the addressee named above.  If the reader of this 
message is not the intended recipient or the employee or agent responsible 
for delivering the message to the intended recipient, please be aware that 
any dissemination, distribution or duplication of this communication is 
strictly prohibited. If you receive this communication in error, please 
notify us immediately by telephone, delete the message and destroy any 
printed copy of the message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list