id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1098 realip_remote_addr overwritten vladimir.golovin00@… "Hello, I noticed that $real_remote_addr gets overwritten when the first ip (left) and all ips in the header match ranges from set_real_ip_from. My understanding is that it should never get overwritten. Example: nginx compiled with ./configure --with-http_realip_module nginx.conf: --------------- user www-data; worker_processes 1; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format special '$remote_addr - $remote_user [$time_local] ""$request"" ' '$status $body_bytes_sent ""$http_referer"" ' '""$http_user_agent"" ""$http_x_forwarded_for"" ""$realip_remote_addr""'; access_log access.log special; real_ip_header X-Forwarded-For; set_real_ip_from 127.0.0.1/32; set_real_ip_from 192.168.0.0/24; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } } } --------------- curl -H ""X-Forwarded-For: 192.168.0.1"" 127.0.0.1 Expected result: 192.168.0.1 - - [06/Oct/2016:16:56:33 +0000] ""GET / HTTP/1.1"" 200 612 ""-"" ""curl/7.38.0"" ""192.168.0.1"" ""127.0.0.1"" Actual result: 192.168.0.1 - - [06/Oct/2016:16:56:33 +0000] ""GET / HTTP/1.1"" 200 612 ""-"" ""curl/7.38.0"" ""192.168.0.1"" ""192.168.0.1"" ""$realip_remote_addr keeps the original client address"" Also if we do: curl -H ""X-Forwarded-For: 4.4.4.4, 192.168.0.1"" 127.0.0.1 (adding one extra IP not from set_real_ip_from) The log has 127.0.0.1 as it should: 4.4.4.4 - - [06/Oct/2016:16:59:44 +0000] ""GET / HTTP/1.1"" 200 612 ""-"" ""curl/7.38.0"" ""4.4.4.4, 192.168.0.1"" ""127.0.0.1"" Tried latest nginx 1.10.1 and 1.11.4" defect closed minor 1.11.5 other 1.11.x fixed "nginx version: nginx/1.10.1 built by gcc 4.9.2 (Debian 4.9.2-10) configure arguments: --with-http_realip_module"