realip module broken?

[Igor Sysoev]

On Tue, Aug 12, 2008 at 04:57:10PM +0200, Spil Games wrote:

> Spil Games wrote:
> > Does this ring a bell for anyone? It seems to me like the realip module
> > is seriously broken (at least in 0.6.32). I had a look at the source
> > code, but cannot come with anything obvious.
> 
> I think I figured it out. We run multiple Nginx backends behind a Zeus 
> ZXTM loadbalancer. The loadbalancer is configured to use keepalives to 
> the backends and thus pipes requests from various source addresses 
> through one connection.
> 
> When the first request on a new lb->ws connection comes in, Nginx 
> matches the source address to the value set through 'set_real_ip_from'. 
> Let's assume the request originates from the loadbalancer (obviously :P) 
> and that we have set 'set_real_ip_from' appropriately. The realip module 
> will patch the following:
> 
>   sin->sin_addr.s_addr = addr;
>   r->connection->addr_text.len = len;
>   r->connection->addr_text.data = p;
> 
> So the IP address is corrected for this connection. So far, so good.
> 
> Now to the second request: Nginx will try to match the source address 
> again, but because this is the same (already patched) connection, it 
> will not match 'set_real_ip_from' and the address will pass unmodified, 
> which is incorrect because this request originates from a different 
> client ip address.
> 
> I can work around this problem by setting 'set_real_ip_from' to 
> '0.0.0.0/0', but I think this is essentially a bug in the module. It 
> should not patch the source ip address for the whole (keepalive) 
> connection, but only for the current request.

I suspected those are loadbalancer keepalive connections.
I will look how to resolve the issue. Right now you may disable keepalive
on nginx side.


-- 
Igor Sysoev
http://sysoev.ru/en/