Behavior of realip module with this config

Maxim Dounin mdounin at
Fri Feb 10 12:33:35 UTC 2017


On Thu, Feb 09, 2017 at 05:49:13PM -0500, Paul Nickerson wrote:

> I've got the config below. I don't have these settings reconfigured
> anywhere else. My understanding is that no matter anything else at all
> anywhere else, and no matter whether the X-Forwarded-For field in the HTTP
> header has one or multiple IP addresses, or isn't even present,
> $remote_addr will not be altered.
> set_real_ip_from;
> real_ip_header X-Forwarded-For;
> real_ip_recursive on;
> From what I read, "real_ip_recursive on" means that $remote_addr can only
> be set to an IP address that is not in the range set by set_real_ip_from.
> And since that's, there is no IP that can meet this requirement.
> Am I correct in my analysis?

CIDR means -, so any IP address 
is allowed to change the IP via X-Forwarded-For.  You can find 
more information about CIDR notation here:

And real_ip_recursive switched on means that this happens 
recursively.  As a result, with the configuration in question 
nginx will use the first address in X-Forwarded-For provided, if 
any (assuming all addresses are valid).

Note that "set_real_ip_from" makes client's address as 
seen by nginx easily spoofable by any client, and it is generally 
a bad idea to use it in production.

Maxim Dounin

More information about the nginx mailing list