#100 closed enhancement (fixed)
http_geoip_module should support requests from proxies
| Reported by: | Robby Grossman | Owned by: | Ruslan Ermilov |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.0.x |
| Keywords: | Cc: | ||
| uname -a: | Linux ip-10-87-43-13 2.6.32-318-ec2 #38-Ubuntu SMP Thu Sep 1 18:09:30 UTC 2011 x86_64 GNU/Linux | ||
| nginx -V: | nginx version: nginx/1.0.12 | ||
Description
When using the http_geoip_module through a proxy, the IP address used for the geolocation lookup is that of the proxy rather than the end-user.
On apache, one can use the "GeoIPScanProxyHeaders On" directive to tell GeoIP to use the X-Forwarded-For header instead of the typical remote address. This functionality should be replicated in the nginx module.
Change History (4)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
In [4628/nginx]:
(The changeset message doesn't reference this ticket)
Note:
See TracTickets
for help on using tickets.
I patched this by using the X-Forwarded-For header if it's provided. You can see my changes here: https://github.com/freerobby/ngx_http_geoip_module-xfwd/compare/b1d1...master
We're behind a firewall so we don't need to worry about forgery, but in most production environments it is better to use the realip module so that one can protect against forgery. Feel free to close out this ticket since that solution does exist for most people. I was hoping to avoid it because we have some code that relies on the non-overridden $remote_addr (that of the most recent proxy it came from).