Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#447 closed defect (invalid)

X-Forwarded-For header incorrect sometimes when using nginx as proxy

Reported by: Jiri Horky Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.5.6
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g'



we found out that the nginx sometimes sets wrong IP addresses in "X-Forwarded-For" header. It seems to be some race condition that only triggers once per ~6000 requests in our environment. The correct field in the header should like like this:


but sometimes we see this:


i.e. two IP addresses separated by coma and space. We use nginx as SSL terminator/proxy, the config file is attached. The nginx version is 1.5.6.

Attachments (1)

nginx.conf (1.4 KB ) - added by Jiri Horky 11 years ago.
nginx configuration file

Download all attachments as: .zip

Change History (4)

by Jiri Horky, 11 years ago

Attachment: nginx.conf added

nginx configuration file

comment:1 by Jiri Horky, 11 years ago

Forgot to mention - the request rate is about 4000 connections per seconds, 80% of them are keepalived to the client side. But we saw this error to happen even with 400 conns/s.

comment:2 by Maxim Dounin, 11 years ago

Resolution: invalid
Status: newclosed

Multiple IP addresses in X-Forwarded-For is normal, see

comment:3 by Jiri Horky, 11 years ago

Just figured it out myself :-( Sorry for the noise.

Note: See TracTickets for help on using tickets.