Behavior of realip module with this config
pnickerson at cashstar.com
Fri Feb 10 15:20:01 UTC 2017
On Fri, Feb 10, 2017 at 7:33 AM, Maxim Dounin wrote:
> And real_ip_recursive switched on means that this happens
> recursively. As a result, with the configuration in question
> nginx will use the first address in X-Forwarded-For provided, if
> any (assuming all addresses are valid).
> Note that "set_real_ip_from 0.0.0.0/0" makes client's address as
> seen by nginx easily spoofable by any client, and it is generally
> a bad idea to use it in production.
Thank you for the reply, Maxim. "set_real_ip_from 0.0.0.0/0" does indeed
seem like a bad idea in production. Thank you for calling that out.
I am confused by this statement in the documentation:
"If recursive search is enabled, the original client address that matches
one of the trusted addresses is replaced by the last non-trusted address
sent in the request header field."
The language "last non-trusted address" suggests that NGINX looks for
something in real_ip_header which does not match set_real_ip_from. But
maybe I am interpreting that incorrectly.
If set_real_ip_from were set correctly to the host's content delivery
network, load balancer, and reverse proxy infrastructures, then my
interpretation would make sense, as $remote_addr would then get set to the
client's public IP, even if the client has network address translation and
forward proxy infrastructures which append to X-Forwarded-For. But in your
answer, wouldn't $remote_addr be set to the client's private IP address if
their firewall/gateway adds that private IP address to X-Forwarded-For
while it does the NATing? That doesn't seem very useful.
This is an example situation I'm thinking of (all the IPs are random, and
are the IPs "facing" NGINX):
set_real_ip_from 10.6.1.0/24, 188.8.131.52/24;
client's computer (192.168.1.79) > client's gateway (184.108.40.206) > my
content delivery network (220.127.116.11) > my load balancer (10.6.1.56) > my
X-Forwarded-For = 192.168.1.79, 18.104.22.168, 22.214.171.124
I think in your answer, $remote_addr would be set to 192.168.1.25, while in
my interpretation, it would be set to 126.96.36.199. And in either case,
$realip_remote_addr is 10.6.1.56.
It would be a strangely configured client gateway / firewall / NAT / proxy
that adds to X-Forwarded-For, but it can happen.
I guess I am still confused.
~ Paul Nickerson
The attached information is PRIVILEGED AND CONFIDENTIAL and is intended
only for the use of the addressee named above. If the reader of this
message is not the intended recipient or the employee or agent responsible
for delivering the message to the intended recipient, please be aware that
any dissemination, distribution or duplication of this communication is
strictly prohibited. If you receive this communication in error, please
notify us immediately by telephone, delete the message and destroy any
printed copy of the message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx