Opened 5 years ago

Closed 3 years ago

#603 closed defect (wontfix)

Can't get original downstream IP when using the realip module

Reported by: www.google.com/accounts/o8/id?id=AItOawlqNUTPI35UZdu3uEALHeqlTRFkPjXes_k Owned by:
Priority: minor Milestone:
Component: other Version: 1.4.x
Keywords: realip Cc:
uname -a: Linux ubuntu-1404 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.6 (Ubuntu) built by gcc 4.8.2 (Ubuntu 4.8.2-16ubuntu6) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.6/debian/modules/headers-more-nginx-module --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-cache-purge --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-development-kit --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.6/debian/modules/ngx-fancyindex --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-http-push --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-lua --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-upload-progress --add-module=/build/buildd/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module

Description

I would like to use the realip module to transparently use functionality like allow rules while at the same time store the original $remote_addr. The below shows my config and the resulting curl:

$ cat default
server {
        server_name localhost;
        location / {
                set $real_remote_addr $remote_addr;
                echo real_remote_addr -> $real_remote_addr;
                set_real_ip_from   0.0.0.0/0;
                real_ip_header     X-Real-IP;
                echo remote_addr -> $remote_addr;
                echo X-Real-IP -> $http_x_real_ip;
        }
}
$ curl -H "X-Real-IP: 10.10.10.10" localhost
real_remote_addr -> 127.0.0.1
remote_addr -> 127.0.0.1
X-Real-IP -> 10.10.10.10

If I change the "set" clause realip behaves as expected but I loose the original ip.

$ cat default 
server {
        server_name localhost;
        location / {
                set $real_remote_addr "something else";
                echo real_remote_addr -> $real_remote_addr;
                set_real_ip_from   0.0.0.0/0;
                real_ip_header     X-Real-IP;
                echo remote_addr -> $remote_addr;
                echo X-Real-IP -> $http_x_real_ip;
        }
}
$ curl -H "X-Real-IP: 10.10.10.10" localhost
real_remote_addr -> something else
remote_addr -> 10.10.10.10
X-Real-IP -> 10.10.10.10

Is there any way to achieve what I'm trying to achieve? Is it expected that setting a variable from the $remote_addr breaks realip?

Change History (2)

comment:1 Changed 5 years ago by mdounin

The problem is that the $remote_addr variable value is cached on a first access (which happens before realip module is able to update remote address, as set_real_ip_from is specified at location level). Accessing the $remote_addr variable doesn't break realip though - the address as seen by nginx, e.g., by deny/allow directives, will be properly updated.

Not sure if it wroth fixing. Making $remote_addr uncacheable looks like an overkill for this particular edge case, and we currently have no mechanism in place to selectively flush cached variables. Normally, when realip is set on a server level, the address is updated before any other modules start to work, and this isn't a problem.

As for what are you trying to do - I tend to say that there is no good way to do this. The realip module is designed to completely replace the original address of a connection, and it doesn't try to make it accessible in any form.

comment:2 Changed 3 years ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

Just for the record: the $realip_remote_addr variable was added in nginx 1.9.7 to facilitate the original use case. There are no plans to change $remote_addr caching, so closing this.

Note: See TracTickets for help on using tickets.