#2 closed enhancement (fixed)
HttpRealIpModule only seems to work with one trusted proxy, you can't build a list of trusted proxies as only the first one will work
Reported by: | cwjam.com | Owned by: | Ruslan Ermilov |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | |
Keywords: | HttpRealIpModule, set_real_ip_from | Cc: | |
uname -a: | Linux #9-Ubuntu SMP Thu Apr 15 04:14:01 UTC 2010 i686 GNU/Linux | ||
nginx -V: |
nginx version: nginx/0.7.65
TLS SNI support enabled configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-debug --with-http_stub_status_module --with-http_flv_module --with-http_ssl_module --with-http_dav_module --with-http_gzip_static_module --with-http_realip_module --with-mail --with-mail_ssl_module --with-ipv6 --add-module=/build/buildd/nginx-0.7.65/modules/nginx-upstream-fair |
Description
HttpRealIpModule only seems to work with the first trusted proxy set via set_real_ip_from.
Any additional trusted proxies are ignored which contradicts the example at http://wiki.nginx.org/HttpRealIpModule
Example 1:
If you only supply one trusted proxy everything works as expected.
set_real_ip_from proxy_1_IP;
real_ip_header X-Forwarded-For;
X-Forwarded-For: client1, proxy_1_IP
$remote_addr = client1 (which is expected)
Example 2:
However if you provide a list of trusted proxies, only the first one is applied.
set_real_ip_from proxy_1_IP;
set_real_ip_from proxy_2_IP;
real_ip_header X-Forwarded-For;
X-Forwarded-For: client1, proxy_2_IP, proxy_1_IP
$remote_addr = proxy_2_IP (which is unexpected)
It looks like I'm not the only person to encounter this issue:
http://forum.nginx.org/read.php?2,154968,154996
The poster of that thread has supplied a patch (which I have not tested)
http://treehou.se/~omar/nginx-0.8.53-xff.patch
Thanks,
Ciaran
Attachments (1)
Change History (5)
comment:1 by , 13 years ago
Status: | new → accepted |
---|---|
Type: | defect → enhancement |
comment:2 by , 13 years ago
Owner: | changed from | to
---|---|
Status: | accepted → assigned |
comment:3 by , 13 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
In [4625/nginx]:
(The changeset message doesn't reference this ticket)
This is not a bug, realip module doesn't follow ip addresses chain but rather uses last one (in case of X-Forwarded-For). Wiki is plain wrong here, feel free to fix it. Please refer to original documentation (in Russian) for clear and unambigous description:
http://sysoev.ru/nginx/docs/http/ngx_http_realip_module.html
I've reclassified this as an "enhancement" and leave it open for future review/work. The functionality itself likely be helpful in some setups, though I'm not sure I'm happy with the patch (at least, I would like to see this configurable and off by default, not unconditionally enabled).