Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#2 closed enhancement (fixed)

HttpRealIpModule only seems to work with one trusted proxy, you can't build a list of trusted proxies as only the first one will work

Reported by: cwjam.com Owned by: Ruslan Ermilov
Priority: minor Milestone:
Component: nginx-module Version:
Keywords: HttpRealIpModule, set_real_ip_from Cc:
uname -a: Linux #9-Ubuntu SMP Thu Apr 15 04:14:01 UTC 2010 i686 GNU/Linux
nginx -V: nginx version: nginx/0.7.65
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-debug --with-http_stub_status_module --with-http_flv_module --with-http_ssl_module --with-http_dav_module --with-http_gzip_static_module --with-http_realip_module --with-mail --with-mail_ssl_module --with-ipv6 --add-module=/build/buildd/nginx-0.7.65/modules/nginx-upstream-fair

Description

HttpRealIpModule only seems to work with the first trusted proxy set via set_real_ip_from.
Any additional trusted proxies are ignored which contradicts the example at http://wiki.nginx.org/HttpRealIpModule

Example 1:
If you only supply one trusted proxy everything works as expected.

set_real_ip_from proxy_1_IP;
real_ip_header X-Forwarded-For;

X-Forwarded-For: client1, proxy_1_IP
$remote_addr = client1 (which is expected)

Example 2:
However if you provide a list of trusted proxies, only the first one is applied.

set_real_ip_from proxy_1_IP;
set_real_ip_from proxy_2_IP;
real_ip_header X-Forwarded-For;

X-Forwarded-For: client1, proxy_2_IP, proxy_1_IP
$remote_addr = proxy_2_IP (which is unexpected)

It looks like I'm not the only person to encounter this issue:
http://forum.nginx.org/read.php?2,154968,154996

The poster of that thread has supplied a patch (which I have not tested)
http://treehou.se/~omar/nginx-0.8.53-xff.patch

Thanks,
Ciaran

Attachments (1)

realip.diff (694 bytes ) - added by Joe Cai 13 years ago.
realip patch against nginx 1.0.12

Download all attachments as: .zip

Change History (5)

comment:1 by Maxim Dounin, 13 years ago

Status: newaccepted
Type: defectenhancement

This is not a bug, realip module doesn't follow ip addresses chain but rather uses last one (in case of X-Forwarded-For). Wiki is plain wrong here, feel free to fix it. Please refer to original documentation (in Russian) for clear and unambigous description:

http://sysoev.ru/nginx/docs/http/ngx_http_realip_module.html

I've reclassified this as an "enhancement" and leave it open for future review/work. The functionality itself likely be helpful in some setups, though I'm not sure I'm happy with the patch (at least, I would like to see this configurable and off by default, not unconditionally enabled).

by Joe Cai, 13 years ago

Attachment: realip.diff added

realip patch against nginx 1.0.12

comment:2 by Ruslan Ermilov, 13 years ago

Owner: changed from somebody to Ruslan Ermilov
Status: acceptedassigned

comment:3 by Ruslan Ermilov, 12 years ago

Resolution: fixed
Status: assignedclosed

In [4625/nginx]:

(The changeset message doesn't reference this ticket)

comment:3 by Maxim Dounin, 12 years ago

In [4669/nginx]:

(The changeset message doesn't reference this ticket)

Note: See TracTickets for help on using tickets.