Can real_ip_header's behavior be altered slightly?

Maxim Dounin mdounin at mdounin.ru
Wed Dec 30 03:29:22 MSK 2009


Hello!

On Tue, Dec 29, 2009 at 04:14:58PM -0800, Michael Shadle wrote:

> On Tue, Dec 29, 2009 at 4:07 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> > The last one is the address added by last proxy.  As we trust last
> > proxy - we use address added by it.
> >
> > The first address is the address as it came from client.  You
> > probably don't want to trust it at all.
> >
> > If you want to pass original ip address of client through multiple
> > proxies - you just need to use real_ip_from / proxy_set_header
> > consistently on all proxies in chain.
> 
> It appears that the order we're receiving it is from multiple
> X-Forwarded-For addresses...
> 
> This is from:
> 
> corporate network proxy -> CDN -> nginx server
> 
> The corporate network proxy passes on an IP in X-Forwarded-For, then
> the CDN seems to use X-Forwarded-For as well. nginx seems to get them
> but the order is opposite. Are you sure this logic is proper? In this
> experience it is actually backwards.

http://en.wikipedia.org/wiki/X-Forwarded-For

> It's not actually a corporate proxy or CDN we have any control over.
> We're just inheriting these headers.

Well, as long as you have no control over proxies in chain - you 
probably want to iterate over addresses in X-Forwarded-For from 
last to first until you find one which isn't trusted.  This isn't 
something nginx is able to do right now.

Maxim Dounin



More information about the nginx mailing list