id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1411	realip module using first of multiple X-Real-IP or custom headers	Andjelko Horvat		"This is continuation of [https://trac.nginx.org/nginx/ticket/106] ngx_http_realip_module issue with multiple headers.

When multiple X-Real-IP or custom header set with real_ip_header is sent in the request, nginx uses the first header but it should use the last one.

E.g. in request like:


{{{
curl -vIL -H'X-Real-IP: 1.1.1.1' -H'X-Real-IP: 2.2.2.2' 127.0.0.1 2>&1 | grep '^>'
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1
> Accept: */*
> X-Real-IP: 1.1.1.1
> X-Real-IP: 2.2.2.2
}}}


1.1.1.1 would be used and not 2.2.2.2. If the load balancer just appends new X-Real-IP header at the end, then still the first header is used, and the client can e.g. bypass nginx ACLs.

This was fixed in #106 for X-Forwarded-For header in a way that multiple headers are merged in one, but in X-Real-IP/custom header case only the last header could be used without merging.
"	defect	closed	major		nginx-core	1.13.x	wontfix	realip x-real-ip x-forwarded-for multiple headers		Linux cmp 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux	"nginx version: nginx/1.13.7
built by gcc 4.9.2 (Debian 4.9.2-10) 
configure arguments: --with-http_realip_module"