Opened 12 years ago
Closed 12 years ago
#277 closed defect (duplicate)
HttpRealipModule doesn't behave as expected with duplicate headers
| Reported by: | Neal Poole | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.2.x |
| Keywords: | Cc: | ||
| uname -a: | Linux punbb-hosting-web 2.6.39.1-linode34 #1 SMP Tue Jun 21 10:29:24 EDT 2011 i686 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.2.6
TLS SNI support enabled configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 |
||
Description
I'm running into an issue on Linode due to the way their NodeBalancer platform is configured. The NodeBalancer acts as a proxy and load balancer. Before forwarding a request, it adds an HTTP header (X-Forwarded-For) with the value set as the client's IP. If the request contained an X-Forwarded-For header to begin with (ie: because the client's ISP uses a proxy that sends that information outbound), a duplicate header is created.
An example request, pulled from the server via tcpdump:
GET /foobar.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Forwarded-For: 127.0.0.2, 127.0.0.3 X-Forwarded-For: 207.38.128.123 Connection: close
According to RFC 2616, this is actually a valid construction (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2):
"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]."
However, with the request above and with HttpRealipModule enabled as follows, REMOTE_ADDR is set to 127.0.0.3:
set_real_ip_from 192.168.255.0/24; real_ip_header X-Forwarded-For;
I've tried setting real_ip_recursive to on as well but that did not change the result.
Duplicate of ticket #106.