realip module broken?
Spil Games
lists at ruby-forum.com
Tue Aug 12 18:57:10 MSD 2008
Spil Games wrote:
> Does this ring a bell for anyone? It seems to me like the realip module
> is seriously broken (at least in 0.6.32). I had a look at the source
> code, but cannot come with anything obvious.
I think I figured it out. We run multiple Nginx backends behind a Zeus
ZXTM loadbalancer. The loadbalancer is configured to use keepalives to
the backends and thus pipes requests from various source addresses
through one connection.
When the first request on a new lb->ws connection comes in, Nginx
matches the source address to the value set through 'set_real_ip_from'.
Let's assume the request originates from the loadbalancer (obviously :P)
and that we have set 'set_real_ip_from' appropriately. The realip module
will patch the following:
sin->sin_addr.s_addr = addr;
r->connection->addr_text.len = len;
r->connection->addr_text.data = p;
So the IP address is corrected for this connection. So far, so good.
Now to the second request: Nginx will try to match the source address
again, but because this is the same (already patched) connection, it
will not match 'set_real_ip_from' and the address will pass unmodified,
which is incorrect because this request originates from a different
client ip address.
I can work around this problem by setting 'set_real_ip_from' to
'0.0.0.0/0', but I think this is essentially a bug in the module. It
should not patch the source ip address for the whole (keepalive)
connection, but only for the current request.
--
Posted via http://www.ruby-forum.com/.
More information about the nginx
mailing list