Usage of $proxy_add_x_forwarded_for on edge proxies
mdounin at mdounin.ru
Tue Jan 12 17:46:45 UTC 2021
On Tue, Jan 12, 2021 at 11:14:50PM +0900, nanaya wrote:
> Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?
> I keep seeing config examples with proxy settings like this:
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry.
> The correct value should be just $remote_addr (and thus drop client-provided values).
> I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy.
> (or someone please correct me on this)
Let me be someone.
The X-Forwarded-For is expected to contain multiple addresses, with
the last one being from the last proxy. It is up to the reader of
the header to trust or not particular values from the header.
For example, in the realip module nginx provides set_real_ip_from
and real_ip_recursive directives to configure which addresses to
trust (see http://nginx.org/r/set_real_ip_from and
http://nginx.org/r/real_ip_recursive). Similarly, in the geo
module there are "proxy" and "proxy_recursive" parameters, and in
the geoip module there are "geoip_proxy" and
In some cases it might be a good idea to trust X-Forwarded-For
values provided by clients: for example, the are some well-known
public proxies, such as Opera Mini proxies. And it might be a
good idea to trust almost everything if you are trying to extract
some non-essential details, such as best-guess geoinformation.
And it is always a good idea to preserve X-Forwarded-For provided
by client, if any. In particular, it can be used in abuse reports
and various investigations.
If you want to use something without extra complexity, consider
using X-Real-IP header instead, which is expected to contain only
one client address as set by your edge/frontend servers.
More information about the nginx