Opened 2 years ago

Closed 2 years ago

#1411 closed defect (wontfix)

realip module using first of multiple X-Real-IP or custom headers

Reported by: Andjelko Horvat Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.13.x
Keywords: realip x-real-ip x-forwarded-for multiple headers Cc:
uname -a: Linux cmp 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.7
built by gcc 4.9.2 (Debian 4.9.2-10)
configure arguments: --with-http_realip_module

Description

This is continuation of https://trac.nginx.org/nginx/ticket/106 ngx_http_realip_module issue with multiple headers.

When multiple X-Real-IP or custom header set with real_ip_header is sent in the request, nginx uses the first header but it should use the last one.

E.g. in request like:

curl -vIL -H'X-Real-IP: 1.1.1.1' -H'X-Real-IP: 2.2.2.2' 127.0.0.1 2>&1 | grep '^>'
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1
> Accept: */*
> X-Real-IP: 1.1.1.1
> X-Real-IP: 2.2.2.2

1.1.1.1 would be used and not 2.2.2.2. If the load balancer just appends new X-Real-IP header at the end, then still the first header is used, and the client can e.g. bypass nginx ACLs.

This was fixed in #106 for X-Forwarded-For header in a way that multiple headers are merged in one, but in X-Real-IP/custom header case only the last header could be used without merging.

Change History (1)

comment:1 by Maxim Dounin, 2 years ago

Resolution: wontfix
Status: newclosed

The X-Real-IP header is not expected to be used more than once (and it is expected to contain only one address). Accordingly, any additional X-Real-IP header fields are ignored by nginx. Load balancers are expected to replace the header, not append or even prepend it (though prepend will work correctly).

Note: See TracTickets for help on using tickets.