Opened 3 months ago

Closed 3 months ago

#1978 closed enhancement (wontfix)

Logging real client IP on invalid request

Reported by: miika.kankare.ocllo.fi@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.14.x
Keywords: Cc:
uname -a: Linux server 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description

We run nginx behind a proxy, which sets the X-Forwarded-For header containing the client's address. The real IP module in nginx then logs the client address correctly. This works well for any well formed request.

We also have a tester that sends all manner of broken things at the service, which leads to some errors. In the case of invalid requests, the headers don't seem to be parsed so the real IP is missing from the log.

Sending something like this:

$ curl https://server.example.com/broken/%00 

Leads to a log message:

<proxy address here> - - [16/May/2020:09:43:51 +0300] "GET /broken/%00 HTTP/1.1" 400 166 "-" "-"

I'd like to see the real IP address in the logs for these invalid requests as well.

Change History (1)

comment:1 by Maxim Dounin, 3 months ago

Resolution: wontfix
Status: newclosed

As long as there is a syntax error in the request line, nginx does not try to parse request headers, and does not try to process the request. As such, the IP address change by the realip module never happens, and the IP address of the proxy is logged.

Usually this is not a problem, as proxy is expected to pass only valid requests, and if we see something invalid this should be fixed on the proxy. Accordingly, logging the IP address of the proxy is the right thing to do.

In this particular case %00 is, however, syntactically valid, but rejected by nginx for security reasons. So, strictly speaking, there is no proxy bug here. Unfortunately, I don't think there is a good solution for this, since we certainly do not want to process requests with %00.

Just for the reference, similar problem when using real_ip_header proxy_protocol; was previously reported in #1869.

Note: See TracTickets for help on using tickets.