Questions about real ip module

nanaya me at nanaya.pro
Wed Aug 3 05:58:59 UTC 2022


Hi

On Wed, Aug 3, 2022, at 07:34, Francis Daly wrote:
> On Sat, Jul 30, 2022 at 05:13:52AM +0900, nanaya wrote:
>
>
>> 1. is there no way to reset the list of `set_real_ip_from` for a specific subsection? For example to have a completely different set of trusted addresses for a specific server
>> 
>
> That one seems to work for me.
>
> set_real_ip_from at http level, with another value at server level. A
> server without the second value uses the http-level one; a server with
> the second value uses that value only.
>
> Can you show a sample config that does not work?
>

It looks like I tested it on location level. I guess it's similar behavior to real_ip_header inheritance you mentioned below?

http {
  set_real_ip_from 10.0.0.1;
  server {
    location /a/ {
      set_real_ip_from 10.0.0.2;
      access_log /var/log/nginx/test.log; # <- accessing from both 10.0.0.1 and 10.0.0.2 with X-Real-Ip logs the specified header's ip address
    }
  }
}

>> 2. does setting `real_ip_header '';` in a section effectively disable the module for the section?
>
> I don't see that it does; and I don't see that the documentation says
> that it would. So I'd say "no, it does not".
>

It seems to achieve the same effect though considering it's not really possible to send empty header (or is it?).

>> 3. documentation says `real_ip_header` is allowed in location block but it doesn't seem to do anything?
>> 
>
> This one is a bit subtle.
>
> As far as I can see, if there is no value at http or server level,
> then the value at location level is effectively used. But if there is
> something at http or server level, then the value at location level is
> effectively ignored.
>
> That's not the usual way that nginx directive inheritance works; my guess
> in this case is that the replacement-ip-address-variable is set at the
> outermost level, and then in the inner level, the variable is seen to
> have a value and that value is re-used rather than re-calculated.
>
>> This still uses address from X-Real-Ip instead of X-Other for allow check and log:
>> 
>
> From playing with 1.22, if you want different real_ip_header header
> values to apply in different locations, you probably need to only set
> the directive at location level -- and set it in every location where
> you want it.
>
> Basically -- ensure that there is nothing to be inherited into a section
> that wants to have a specific value set, so that the curious effective
> inheritance behaviour of this directive does not take effect.
>
> That might let you get the end result that you want today; if you want
> a future version to work in "the expected" fashion, then you'll want to
> convince someone that the cost of maintaining the new code to do that
> is less than the benefit of being able to do that.
>

Thanks. I've reworked the config so it's not needed anymore.



More information about the nginx mailing list