nginx and thttpd + cgi, remote_addr = 127.0.0.1

Francis Daly francis at daoine.org
Wed Oct 26 13:02:58 UTC 2011


On Wed, Oct 26, 2011 at 02:17:37AM +0400, Кирюшкин Владимир wrote:
> 26.10.2011, 02:10, "Francis Daly" <francis at daoine.org>:
> > On Wed, Oct 26, 2011 at 01:11:40AM +0400, Кирюшкин Владимир wrote:

Hi there,

> > That should cause two variables HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR
> > to be visible in the CGI output.
> 
> alas, no. the full output is (when using proxy):

Ah, this thttpd doesn't expose the full http header as HTTP_* environment
variables. So scratch that as a test.

> > That patch looks like it will write the value of the X-Forwarded-For
> > header into something internal to thttpd.
> 
> yes, it is intended to change X-Forwarded-For into Remote-Addr, but seems that it doesn't work.

Test the thttpd side:

curl -H 'X-Forwarded-For: 127.0.0.2' http://[thttpd-server]/env.cgi

If you don't see REMOTE_ADDR=127.0.0.2, then your thttpd is not acting
as you expect. Nothing nginx can do can help you in that case.

And note what

curl -H 'X-Forwarded-For: 127.0.0.2, 127.0.0.3' http://[thttpd-server]/env.cgi

shows that is different.

If thttpd directly works (as above) and through nginx doesn't, then check
the nginx debug log to see what exactly nginx is sending to thttpd --
it'll be the line with

http script copy: "X-Forwarded-For: "

and the next line will show the value.

Test using 

curl http://[nginx-server]/env.cgi

and possibly

curl -H 'X-Forwarded-For: 127.0.0.2' http://[nginx-server]/env.cgi

> > If they are not what you expect, check what nginx is doing.
> 
> how could i do that?

debug log.

Overall, when I test here, it all works as expected, by which I mean:

when I access nginx on 10.0.2.15 which proxy_pass'es to thttpd on
127.0.0.1, I see REMOTE_ADDR=10.0.2.15

when I access nginx on 10.0.2.15 through any other proxy,
so that X-Forwarded-For is set before it gets to nginx, I see
REMOTE_ADDR=127.0.0.1

This patch to thttpd seems to require that X-Forwarded-For contains
exactly one address, which means that you must not set it in nginx using

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

You'll instead want something like

proxy_set_header X-Forwarded-For $remote_addr;

with some careful thought about what to do if X-Forwarded-For was set
in the request to nginx.

Good luck,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list