[PATCH] Improve X-Forwarded-For handling in realip

Michael Shadle mike503 at gmail.com
Thu Dec 2 10:44:25 MSK 2010


On Wed, Dec 1, 2010 at 7:31 PM, Omar Kilani <omar.kilani at gmail.com> wrote:
> Hi Michael,
>
> You should be able to get a list of subnets from your CDN, which you
> can add to 'set_real_ip_from'. This way, you'll get the first
> untrusted IP in the chain -- the scan works backwards, so even if your
> XFF looked like:
>
> X-Forwarded-For: proxy1 proxy2 client1
>
> You'll get 'client1' if you add 'proxy1' or 'proxy2' to 'set_real_ip_from'.
>
> And if your XFF looked like:
>
> X-Forwarded-For: client1 proxy1 proxy2
>
> You'll get 'client1' too -- hence the patch. :)

I don't want to necessarily have to define subnets, I'm fine with
trusting the header I get (which can be custom sometimes)

I just need to be able to get the last (or first) IP.

Does the patch just apply the proxy IPs against the set_real_ip_from
and ignore those? I didn't really read it much.



More information about the nginx mailing list