realip module broken?

Igor Sysoev is at
Tue Aug 12 19:21:01 MSD 2008

On Tue, Aug 12, 2008 at 04:57:10PM +0200, Spil Games wrote:

> Spil Games wrote:
> > Does this ring a bell for anyone? It seems to me like the realip module
> > is seriously broken (at least in 0.6.32). I had a look at the source
> > code, but cannot come with anything obvious.
> I think I figured it out. We run multiple Nginx backends behind a Zeus 
> ZXTM loadbalancer. The loadbalancer is configured to use keepalives to 
> the backends and thus pipes requests from various source addresses 
> through one connection.
> When the first request on a new lb->ws connection comes in, Nginx 
> matches the source address to the value set through 'set_real_ip_from'. 
> Let's assume the request originates from the loadbalancer (obviously :P) 
> and that we have set 'set_real_ip_from' appropriately. The realip module 
> will patch the following:
>   sin->sin_addr.s_addr = addr;
>   r->connection->addr_text.len = len;
>   r->connection-> = p;
> So the IP address is corrected for this connection. So far, so good.
> Now to the second request: Nginx will try to match the source address 
> again, but because this is the same (already patched) connection, it 
> will not match 'set_real_ip_from' and the address will pass unmodified, 
> which is incorrect because this request originates from a different 
> client ip address.
> I can work around this problem by setting 'set_real_ip_from' to 
> '', but I think this is essentially a bug in the module. It 
> should not patch the source ip address for the whole (keepalive) 
> connection, but only for the current request.

I suspected those are loadbalancer keepalive connections.
I will look how to resolve the issue. Right now you may disable keepalive
on nginx side.

Igor Sysoev

More information about the nginx mailing list