Can real_ip_header's behavior be altered slightly?

Michael Shadle mike503 at
Wed Dec 30 03:14:58 MSK 2009

On Tue, Dec 29, 2009 at 4:07 PM, Maxim Dounin <mdounin at> wrote:

> The last one is the address added by last proxy.  As we trust last
> proxy - we use address added by it.
> The first address is the address as it came from client.  You
> probably don't want to trust it at all.
> If you want to pass original ip address of client through multiple
> proxies - you just need to use real_ip_from / proxy_set_header
> consistently on all proxies in chain.

It appears that the order we're receiving it is from multiple
X-Forwarded-For addresses...

This is from:

corporate network proxy -> CDN -> nginx server

The corporate network proxy passes on an IP in X-Forwarded-For, then
the CDN seems to use X-Forwarded-For as well. nginx seems to get them
but the order is opposite. Are you sure this logic is proper? In this
experience it is actually backwards.

It's not actually a corporate proxy or CDN we have any control over.
We're just inheriting these headers.

More information about the nginx mailing list