Can real_ip_header's behavior be altered slightly?

Maxim Dounin mdounin at mdounin.ru
Wed Dec 30 03:07:50 MSK 2009


Hello!

On Tue, Dec 29, 2009 at 01:32:48PM -0800, Michael Shadle wrote:

> Currently there's a slight annoyance (not sure I'd call it a bug) -
> we're behind a CDN and the wrong IP is being assigned from
> real_ip_header, because we're getting multiple IP addresses. Can the
> behavior be altered for this kind of case?
> 
> in PHP, when dumping $_SERVER:
> 
> ["HTTP_VIA"]=>
> string(127) "1.1 proxy1.company1.com, 1.1
> somehost2.cdncompany.net:8000 (EdgePrism/3.7.2.8), 1.1
> somehost1.cdncompany.net:80 (EdgePrism/3.7.2.8)"
> 
> ["HTTP_X_FORWARDED_FOR"]=>
> string(31) "14.13.13.70, 20.11.18.105"
> 
> ["REMOTE_ADDR"]=>
> string(15) "20.11.18.105"
> 
> It shows the right address first in the X-Forwarded-For, but the other
> addresses second, but nginx is grabbing the LAST ip in the list.

The last one is the address added by last proxy.  As we trust last 
proxy - we use address added by it.

The first address is the address as it came from client.  You 
probably don't want to trust it at all.

If you want to pass original ip address of client through multiple 
proxies - you just need to use real_ip_from / proxy_set_header 
consistently on all proxies in chain.

Maxim Dounin



More information about the nginx mailing list