[PATCH] Improve X-Forwarded-For handling in realip
Michael Shadle
mike503 at gmail.com
Thu Dec 2 10:44:25 MSK 2010
On Wed, Dec 1, 2010 at 7:31 PM, Omar Kilani <omar.kilani at gmail.com> wrote:
> Hi Michael,
>
> You should be able to get a list of subnets from your CDN, which you
> can add to 'set_real_ip_from'. This way, you'll get the first
> untrusted IP in the chain -- the scan works backwards, so even if your
> XFF looked like:
>
> X-Forwarded-For: proxy1 proxy2 client1
>
> You'll get 'client1' if you add 'proxy1' or 'proxy2' to 'set_real_ip_from'.
>
> And if your XFF looked like:
>
> X-Forwarded-For: client1 proxy1 proxy2
>
> You'll get 'client1' too -- hence the patch. :)
I don't want to necessarily have to define subnets, I'm fine with
trusting the header I get (which can be custom sometimes)
I just need to be able to get the last (or first) IP.
Does the patch just apply the proxy IPs against the set_real_ip_from
and ignore those? I didn't really read it much.
More information about the nginx
mailing list