set_real_ip_from, real_ip_header directive in ngx_http_realip_module
Maxim Dounin
mdounin at mdounin.ru
Thu Jun 29 15:33:02 UTC 2017
Hello!
On Thu, Jun 29, 2017 at 09:08:40AM -0400, foxgab wrote:
> if nginx is behind another proxy, that proxy set the X-Forwarded-for header
> with the real client ip, and the configration of nginx is :
>
> location / {
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> real_ip_header X-Forwarded-For;
> set_real_ip_from 192.168.0.0/16;
> }
>
> whether the real client ip or the address of the proxy will add in the
> X-Forwarded-For header?
> will the value of $remote_addr changes only after real_ip_header directive
> or at the beginning of the context?
The order of the directives in the nginx configuration is not
important (except a few cases where it is explicitly outlined,
like location blocks with regular expressions or rewrite module
instructions). Directives merely set various options for request
processing, and it doesn't matter where you set the option.
The realip module, when configured in a location context, changes
client's address as seen by nginx right after the location
configuration is choosen (and the request is processed by the
rewrite module, if any), before access-related checks.
That is, in the configuration above the realip module will change
the client's address before the "proxy_set_header" directive will
use it. As such, X-Forwarded-For as sent to the backend will
include client address set by the realip module, and the above
configuration will result in duplicate addresses in
X-Forwarded-For.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list