[PATCH] Fix for ticket #106: Correctly handle multiple X-Forwarded-For headers

Vladimir Shebordaev vshebordaev at mail.ru
Wed Jun 20 07:15:01 UTC 2012


2012/6/20 Tribble, Alex <atribble at amazon.com>:
> When nginx gets multiple X-Forwarded-For headers in a single request, it
> only keeps the last one in r->headers_in (and thus in
> $http_x_forwarded_for, $proxy_add_x_forwarded_for). Reverse proxies behind
> an nginx instance sometimes need the entire X-Forwarded-For chain - part
> of which is discarded in this case.
> Per RFC 2616, it's equivalent to concatenate each header value (separated
> by a comma) and send the concatenated value to the upstream:
> 4.2
> -snip-
>   Multiple message-header fields with the same field-name MAY be
>   present in a message if and only if the entire field-value for that
>   header field is defined as a comma-separated list [i.e., #(values)].
>   It MUST be possible to combine the multiple header fields into one
>   "field-name: field-value" pair, without changing the semantics of the
>   message, by appending each subsequent field-value to the first, each
>   separated by a comma. The order in which header fields with the same
>   field-name are received is therefore significant to the
>   interpretation of the combined field value, and thus a proxy MUST NOT
>   change the order of these field values when a message is forwarded.
> -snip-
> Attached is a patch that does exactly this, in the case of multiple headers.
> Please let me know if you have any comments about this patch - I'm happy
> to make any changes you suggest.

Basically, ngx_table_elt_t element structure is to contain an
atomic header value for faster access when it is used internally, so
I'd suggest to embed an array of ngx_table_elt_t elements into
headers_in structure that would stack the headers in order of
appearence. If the headers already come in in a comma separated list as
per RFC  2616, it would be consistent to split 'em and also push into
that array in order. It seems, output header structures and routines
should be also changed accordingly.

By the way, I guess X-Forwarded-For is not the only header that can stack.

> Relevant bug report:
> http://trac.nginx.org/nginx/ticket/106
> Thanks,
> Alex Tribble

In the hope it helps.


More information about the nginx-devel mailing list