realip_module

Maxim Dounin mdounin at mdounin.ru
Tue Aug 16 12:39:11 UTC 2011


Hello!

On Tue, Aug 16, 2011 at 12:46:11PM +0300, Anatoli Marinov wrote:

> Hello mates,
> I tried readip_module and I found it does not work as I expect.
> For example the header may looks like this:
> X-Forwarded-For: client1, proxy1, proxy2
> 
> Where client1 should be the real ip address of the client, proxy1
> should be the first proxy after the client and proxy2 should be the
> last proxy after the client and the first before the nginx. Nginx
> has the connection with proxy2.

If request flow looks like

    client1 -> proxy1 -> proxy2 -> nginx

(that is, nginx sees a connection from proxy2) X-Forwarded-For 
header will be "client1, proxy1".  The address added by proxy2 is 
"proxy1".  If we trust proxy2 - we may only use "proxy1" as a 
client address, everything else isn't trusted.

> I think In this case readip_module should return client1 ip address.
> It returns the latest address in the field - proxy2.
> What do you think? Is the behaviour wrong or I do not understand the
> meaning of this header?

Right now nginx is only able to took *one* address, the one which 
was added by a trusted proxy which connected to nginx.

As X-Forwarded-For contains chain of addresses, it's possible 
to pick first untrusted address.  That is, in the above case we 
may pick "client1" if we trust both proxy2 and proxy1.  This is 
not currently done, see http://trac.nginx.org/nginx/ticket/2.

Maxim Dounin



More information about the nginx-devel mailing list