realip module broken?

Spil Games lists at
Tue Aug 12 18:57:10 MSD 2008

Spil Games wrote:
> Does this ring a bell for anyone? It seems to me like the realip module
> is seriously broken (at least in 0.6.32). I had a look at the source
> code, but cannot come with anything obvious.

I think I figured it out. We run multiple Nginx backends behind a Zeus 
ZXTM loadbalancer. The loadbalancer is configured to use keepalives to 
the backends and thus pipes requests from various source addresses 
through one connection.

When the first request on a new lb->ws connection comes in, Nginx 
matches the source address to the value set through 'set_real_ip_from'. 
Let's assume the request originates from the loadbalancer (obviously :P) 
and that we have set 'set_real_ip_from' appropriately. The realip module 
will patch the following:

  sin->sin_addr.s_addr = addr;
  r->connection->addr_text.len = len;
  r->connection-> = p;

So the IP address is corrected for this connection. So far, so good.

Now to the second request: Nginx will try to match the source address 
again, but because this is the same (already patched) connection, it 
will not match 'set_real_ip_from' and the address will pass unmodified, 
which is incorrect because this request originates from a different 
client ip address.

I can work around this problem by setting 'set_real_ip_from' to 
'', but I think this is essentially a bug in the module. It 
should not patch the source ip address for the whole (keepalive) 
connection, but only for the current request.
Posted via

More information about the nginx mailing list