Opened 7 years ago

Closed 7 years ago

#1411 closed defect (wontfix)

realip module using first of multiple X-Real-IP or custom headers

Reported by: Andjelko Horvat Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.13.x
Keywords: realip x-real-ip x-forwarded-for multiple headers Cc:
uname -a: Linux cmp 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.13.7
built by gcc 4.9.2 (Debian 4.9.2-10)
configure arguments: --with-http_realip_module


This is continuation of ngx_http_realip_module issue with multiple headers.

When multiple X-Real-IP or custom header set with real_ip_header is sent in the request, nginx uses the first header but it should use the last one.

E.g. in request like:

curl -vIL -H'X-Real-IP:' -H'X-Real-IP:' 2>&1 | grep '^>'
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host:
> Accept: */*
> X-Real-IP:
> X-Real-IP: would be used and not If the load balancer just appends new X-Real-IP header at the end, then still the first header is used, and the client can e.g. bypass nginx ACLs.

This was fixed in #106 for X-Forwarded-For header in a way that multiple headers are merged in one, but in X-Real-IP/custom header case only the last header could be used without merging.

Change History (1)

comment:1 by Maxim Dounin, 7 years ago

Resolution: wontfix
Status: newclosed

The X-Real-IP header is not expected to be used more than once (and it is expected to contain only one address). Accordingly, any additional X-Real-IP header fields are ignored by nginx. Load balancers are expected to replace the header, not append or even prepend it (though prepend will work correctly).

Note: See TracTickets for help on using tickets.