Opened 8 years ago

Last modified 8 years ago

#1025 new enhancement

No country detected for requests with X-Forwarded-For or any reserved IP address

Reported by: romamo@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.10.x
Keywords: ngx_http_geoip_module, geoip Cc:
uname -a: FreeBSD test 9.3-RELEASE FreeBSD 9.3-RELEASE #0: Tue Nov 3 13:52:37 UTC 2015 /usr/obj/usr/src/sys/EX4RVM91 amd64
nginx -V: nginx version: nginx/1.10.1
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/ --error-log-path=/var/log/nginx-error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx-access.log --with-http_geoip_module=dynamic --with-http_gzip_static_module --with-http_image_filter_module=dynamic --add-module=/usr/ports/www/nginx/work/ngx_http_substitutions_filter_module-0.6.4 --with-http_stub_status_module --with-pcre


I use ngx_http_geoip_module to detect origin country of every request including requests behind public proxy servers.

geoip_country /usr/local/etc/nginx/geobase/GeoIP-106_20160712.dat;
geoip_proxy_recursive on; # Use X-Forwarded-For

if X-Forwarded-For header contains IP address from reserved range

$geoip_country_code is empty ""

For example: X-Forwarded-For:

GeoIP database has empty values for these IP ranges.
GeoIP2 database has no values.

I think nginx_geoip module must query geoip database again using REMOTE_ADDR if no country value received using X-Forwarded-For value.

How to repeat

curl --header "X-Forwarded-For:" http://localhost/test.php

Alternative solution may be put all valid IP ranges into geoip_proxy like
but it may lower performance.

Change History (2)

comment:1 by romamo@…, 8 years ago

Sorry Alternative solution is not correct and does not solve the problem.

comment:2 by Maxim Dounin, 8 years ago

Type: defectenhancement

It looks like you are asking for something similar to GeoIPUseFirstNonPrivateXForwardedForIP in MaxMind's mod_geoip2.

This is not something nginx can do now. Currently, general concept is to only trust explicitly configured proxies, and if a proxy returns an address - provide information for this address whether we know something about the address or not. This approach is much more secure as it doesn't allow users to provide arbitrary addresses nginx will blindly trust, but this may be too strict for just geoinformation.

Changing this to "enhancement" as current behaviour is intended and certainly not a bug, though we may want to introduce different behaviour to simplify providing "best case" geoinformation.

Note: See TracTickets for help on using tickets.