Usage of $proxy_add_x_forwarded_for on edge proxies

Maxim Dounin mdounin at mdounin.ru
Tue Jan 12 17:46:45 UTC 2021 

Hello!

On Tue, Jan 12, 2021 at 11:14:50PM +0900, nanaya wrote:

> Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?
> 
> I keep seeing config examples with proxy settings like this:
> 
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> 
> Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry.
> 
> The correct value should be just $remote_addr (and thus drop client-provided values).
> 
> I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy.
> 
> (or someone please correct me on this)

Let me be someone.

The X-Forwarded-For is expected to contain multiple addresses, with 
the last one being from the last proxy.  It is up to the reader of 
the header to trust or not particular values from the header.

For example, in the realip module nginx provides set_real_ip_from 
and real_ip_recursive directives to configure which addresses to 
trust (see http://nginx.org/r/set_real_ip_from and 
http://nginx.org/r/real_ip_recursive).  Similarly, in the geo 
module there are "proxy" and "proxy_recursive" parameters, and in 
the geoip module there are "geoip_proxy" and 
"geoip_proxy_recursive" directives.

In some cases it might be a good idea to trust X-Forwarded-For 
values provided by clients: for example, the are some well-known 
public proxies, such as Opera Mini proxies.  And it might be a 
good idea to trust almost everything if you are trying to extract 
some non-essential details, such as best-guess geoinformation.

And it is always a good idea to preserve X-Forwarded-For provided 
by client, if any.  In particular, it can be used in abuse reports 
and various investigations.

If you want to use something without extra complexity, consider 
using X-Real-IP header instead, which is expected to contain only 
one client address as set by your edge/frontend servers.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list