Usage of $proxy_add_x_forwarded_for on edge proxies

nanaya me at
Wed Jan 13 14:39:13 UTC 2021

On Wed, Jan 13, 2021, at 22:53, Maxim Dounin wrote:
> It's not "dangerous config", it's incorrect usage of 
> X-Forwarded-For which might be dengerous.  In the most simply 
> configuration with a single server the X-Forwarded-For header 
> comes directly from the client, without anything added by nginx - 
> and this has exactly the same implications.

Unfortunately, at least in rails, it's actually dangerous passing the value as is:

At least they have added a bunch of check to make it less dangerous even when using $proxy_add_x_forwarded_for (essentially works just like $remote_addr in default config).

> While X-Forwarded-For is often misused by applications and 
> incorrect configurations by blindly trusting addresses in it, 
> removing the header is going to make destroy the information 
> available for well-written applications.  While you it might be a 
> good idea to remove the header in your particular use case - if 
> you are sure enough your applications doesn't use it - this is 
> certainly not how things should be configured by default.

Yeah, I'm not going to trust X-Forwarded-For sent by client. Maybe it's just me. $remote_addr to me is their geolocation. Anything more "sophisticated" just looked like a potential of failure.

And I don't want to have to worry if my $random_app parses the X-Forwarded-For sanely. At most I'd just log it at the edge server.

Look at this wonderful function by wordpress (thankfully they do aware it's "unsafe"):

Semi unrelated but I can't find this list of IPs used by Opera Mini proxies. Do you know where I can find it?

More information about the nginx mailing list