http_geoip_module should support requests from proxies

[Robby Grossman]

When using the http_geoip_module through a proxy, the IP address used for the geolocation lookup is that of the proxy rather than the end-user.

On apache, one can use the "GeoIPScanProxyHeaders On" directive to tell GeoIP to use the X-Forwarded-For header instead of the typical remote address. This functionality should be replicated in the nginx module.

[Robby Grossman]

I patched this by using the X-Forwarded-For header if it's provided. You can see my changes here: ​https://github.com/freerobby/ngx_http_geoip_module-xfwd/compare/b1d1...master

We're behind a firewall so we don't need to worry about forgery, but in most production environments it is better to use the realip module so that one can protect against forgery. Feel free to close out this ticket since that solution does exist for most people. I was hoping to avoid it because we have some code that relies on the non-overridden $remote_addr (that of the most recent proxy it came from).

[Ruslan Ermilov]

In [4628/nginx]:

geoip: trusted proxies support and partial IPv6 support.

The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:

geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;

[Maxim Dounin]

In [4669/nginx]:

Merge of r4614, r4624-r4629, r4631: proxy recursive changes.

*) Added IPv6 and UNIX-domain socket support in "debug_connection"

directive.

*) New function ngx_http_get_forwarded_addr() to look up real client

address.

On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.

*) Realip: chains of trusted proxies and IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2). It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.

Example:

real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from ::1;
set_real_ip_from unix:;
real_ip_recursive on;

*) Geo: chains of trusted proxies and partial IPv6 support.

The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block. It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.

Example:

geo $test {

...
proxy 127.0.0.1;
proxy ::1;
proxy_recursive;

}

There's also a slight change in behavior. When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup. Previously, 255.255.255.255 was
used in this case.

*) Geoip: trusted proxies support and partial IPv6 support.

The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:

geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;