Usage of $proxy_add_x_forwarded_for on edge proxies

Tue Jan 12 21:50:47 UTC 2021

On Wed, Jan 13, 2021, at 02:46, Maxim Dounin wrote:
> The X-Forwarded-For is expected to contain multiple addresses, with 
> the last one being from the last proxy.  It is up to the reader of 
> the header to trust or not particular values from the header.
> 
> For example, in the realip module nginx provides set_real_ip_from 
> and real_ip_recursive directives to configure which addresses to 
> trust (see http://nginx.org/r/set_real_ip_from and 
> http://nginx.org/r/real_ip_recursive).  Similarly, in the geo 
> module there are "proxy" and "proxy_recursive" parameters, and in 
> the geoip module there are "geoip_proxy" and 
> "geoip_proxy_recursive" directives.
> 
> In some cases it might be a good idea to trust X-Forwarded-For 
> values provided by clients: for example, the are some well-known 
> public proxies, such as Opera Mini proxies.  And it might be a 
> good idea to trust almost everything if you are trying to extract 
> some non-essential details, such as best-guess geoinformation.
> 
> And it is always a good idea to preserve X-Forwarded-For provided 
> by client, if any.  In particular, it can be used in abuse reports 
> and various investigations.
> 
> If you want to use something without extra complexity, consider 
> using X-Real-IP header instead, which is expected to contain only 
> one client address as set by your edge/frontend servers.
> 

Is it not better to just handle all of those at the outermost proxy (with set_real_ip_from etc) and only pass the "sanitized" $remote_addr value to the upstream? At least for simple config, similar to the default REMOTE_ADDR in fastcgi_params etc.

It seems like a lot of potential point of failures trying to pass the value around. And people sharing this possibly dangerous config around without warning of its implication isn't helping, I think.

I guess X-Real-IP could work although I don't remember seeing it used by anything but nginx. And then I think there have been a bunch of problems caused by applications blindly trusting X-Forwarded-For which usually ends up with stripping everything but the last non-private ip by default - essentially a more complex version of outermost proxy passing $remote_addr for that header.