Can real_ip_header's behavior be altered slightly?
Maxim Dounin
mdounin at mdounin.ru
Wed Dec 30 03:07:50 MSK 2009
Hello!
On Tue, Dec 29, 2009 at 01:32:48PM -0800, Michael Shadle wrote:
> Currently there's a slight annoyance (not sure I'd call it a bug) -
> we're behind a CDN and the wrong IP is being assigned from
> real_ip_header, because we're getting multiple IP addresses. Can the
> behavior be altered for this kind of case?
>
> in PHP, when dumping $_SERVER:
>
> ["HTTP_VIA"]=>
> string(127) "1.1 proxy1.company1.com, 1.1
> somehost2.cdncompany.net:8000 (EdgePrism/3.7.2.8), 1.1
> somehost1.cdncompany.net:80 (EdgePrism/3.7.2.8)"
>
> ["HTTP_X_FORWARDED_FOR"]=>
> string(31) "14.13.13.70, 20.11.18.105"
>
> ["REMOTE_ADDR"]=>
> string(15) "20.11.18.105"
>
> It shows the right address first in the X-Forwarded-For, but the other
> addresses second, but nginx is grabbing the LAST ip in the list.
The last one is the address added by last proxy. As we trust last
proxy - we use address added by it.
The first address is the address as it came from client. You
probably don't want to trust it at all.
If you want to pass original ip address of client through multiple
proxies - you just need to use real_ip_from / proxy_set_header
consistently on all proxies in chain.
Maxim Dounin
More information about the nginx
mailing list