Usage of $proxy_add_x_forwarded_for on edge proxies

nanaya me at
Tue Jan 12 14:14:50 UTC 2021

Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?

I keep seeing config examples with proxy settings like this:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry.

The correct value should be just $remote_addr (and thus drop client-provided values).

I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy.

(or someone please correct me on this)

More information about the nginx mailing list