Opened 13 years ago

Closed 13 years ago

Last modified 12 years ago

#100 closed enhancement (fixed)

http_geoip_module should support requests from proxies

Reported by: Robby Grossman Owned by: Ruslan Ermilov
Priority: minor Milestone:
Component: nginx-module Version: 1.0.x
Keywords: Cc:
uname -a: Linux ip-10-87-43-13 2.6.32-318-ec2 #38-Ubuntu SMP Thu Sep 1 18:09:30 UTC 2011 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.0.12

Description

When using the http_geoip_module through a proxy, the IP address used for the geolocation lookup is that of the proxy rather than the end-user.

On apache, one can use the "GeoIPScanProxyHeaders On" directive to tell GeoIP to use the X-Forwarded-For header instead of the typical remote address. This functionality should be replicated in the nginx module.

Change History (4)

comment:1 by Robby Grossman, 13 years ago

I patched this by using the X-Forwarded-For header if it's provided. You can see my changes here: https://github.com/freerobby/ngx_http_geoip_module-xfwd/compare/b1d1...master

We're behind a firewall so we don't need to worry about forgery, but in most production environments it is better to use the realip module so that one can protect against forgery. Feel free to close out this ticket since that solution does exist for most people. I was hoping to avoid it because we have some code that relies on the non-overridden $remote_addr (that of the most recent proxy it came from).

comment:2 by Ruslan Ermilov, 13 years ago

Owner: changed from somebody to Ruslan Ermilov
Status: newassigned

comment:3 by Ruslan Ermilov, 13 years ago

Resolution: fixed
Status: assignedclosed

In [4628/nginx]:

geoip: trusted proxies support and partial IPv6 support.

The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:

geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;

comment:4 by Maxim Dounin, 12 years ago

In [4669/nginx]:

Merge of r4614, r4624-r4629, r4631: proxy recursive changes.

*) Added IPv6 and UNIX-domain socket support in "debug_connection"

directive.


*) New function ngx_http_get_forwarded_addr() to look up real client

address.

On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.


*) Realip: chains of trusted proxies and IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2). It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.


Example:

real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from ::1;
set_real_ip_from unix:;
real_ip_recursive on;

*) Geo: chains of trusted proxies and partial IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block. It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.

Example:

geo $test {

...
proxy 127.0.0.1;
proxy ::1;
proxy_recursive;

}

There's also a slight change in behavior. When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup. Previously, 255.255.255.255 was
used in this case.

*) Geoip: trusted proxies support and partial IPv6 support.

The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:

geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;

Note: See TracTickets for help on using tickets.