Opened 8 years ago

Closed 8 years ago

#277 closed defect (duplicate)

HttpRealipModule doesn't behave as expected with duplicate headers

Reported by: Neal Poole Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.2.x
Keywords: Cc:
uname -a: Linux punbb-hosting-web 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux
nginx -V: nginx version: nginx/1.2.6
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6

Description

I'm running into an issue on Linode due to the way their NodeBalancer platform is configured. The NodeBalancer acts as a proxy and load balancer. Before forwarding a request, it adds an HTTP header (X-Forwarded-For) with the value set as the client's IP. If the request contained an X-Forwarded-For header to begin with (ie: because the client's ISP uses a proxy that sends that information outbound), a duplicate header is created.

An example request, pulled from the server via tcpdump:

GET /foobar.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Forwarded-For: 127.0.0.2, 127.0.0.3
X-Forwarded-For: 207.38.128.123
Connection: close

According to RFC 2616, this is actually a valid construction (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2):

"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]."

However, with the request above and with HttpRealipModule enabled as follows, REMOTE_ADDR is set to 127.0.0.3:

set_real_ip_from   192.168.255.0/24;
real_ip_header     X-Forwarded-For;

I've tried setting real_ip_recursive to on as well but that did not change the result.

Change History (1)

comment:1 by Ruslan Ermilov, 8 years ago

Resolution: duplicate
Status: newclosed

Duplicate of ticket #106.

Note: See TracTickets for help on using tickets.