set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Maxim Dounin mdounin at
Thu Jun 29 15:33:02 UTC 2017


On Thu, Jun 29, 2017 at 09:08:40AM -0400, foxgab wrote:

> if nginx is behind another proxy, that proxy set the X-Forwarded-for header
> with the real client ip, and the configration of nginx is :
> location / {
> proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
> real_ip_header    X-Forwarded-For;
> set_real_ip_from;
> }
> whether the real client ip or the address of the proxy will add in the
> X-Forwarded-For header?
> will the value of $remote_addr changes only after real_ip_header directive
> or at the beginning of the context?

The order of the directives in the nginx configuration is not 
important (except a few cases where it is explicitly outlined, 
like location blocks with regular expressions or rewrite module 
instructions).  Directives merely set various options for request 
processing, and it doesn't matter where you set the option.

The realip module, when configured in a location context, changes 
client's address as seen by nginx right after the location 
configuration is choosen (and the request is processed by the 
rewrite module, if any), before access-related checks.

That is, in the configuration above the realip module will change 
the client's address before the "proxy_set_header" directive will 
use it.  As such, X-Forwarded-For as sent to the backend will 
include client address set by the realip module, and the above 
configuration will result in duplicate addresses in 

Maxim Dounin

More information about the nginx mailing list