Opened 7 years ago
Closed 7 years ago
#1411 closed defect (wontfix)
realip module using first of multiple X-Real-IP or custom headers
Reported by: | Andjelko Horvat | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | 1.13.x |
Keywords: | realip x-real-ip x-forwarded-for multiple headers | Cc: | |
uname -a: | Linux cmp 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.13.7
built by gcc 4.9.2 (Debian 4.9.2-10) configure arguments: --with-http_realip_module |
Description
This is continuation of https://trac.nginx.org/nginx/ticket/106 ngx_http_realip_module issue with multiple headers.
When multiple X-Real-IP or custom header set with real_ip_header is sent in the request, nginx uses the first header but it should use the last one.
E.g. in request like:
curl -vIL -H'X-Real-IP: 1.1.1.1' -H'X-Real-IP: 2.2.2.2' 127.0.0.1 2>&1 | grep '^>' > HEAD / HTTP/1.1 > User-Agent: curl/7.38.0 > Host: 127.0.0.1 > Accept: */* > X-Real-IP: 1.1.1.1 > X-Real-IP: 2.2.2.2
1.1.1.1 would be used and not 2.2.2.2. If the load balancer just appends new X-Real-IP header at the end, then still the first header is used, and the client can e.g. bypass nginx ACLs.
This was fixed in #106 for X-Forwarded-For header in a way that multiple headers are merged in one, but in X-Real-IP/custom header case only the last header could be used without merging.
The X-Real-IP header is not expected to be used more than once (and it is expected to contain only one address). Accordingly, any additional X-Real-IP header fields are ignored by nginx. Load balancers are expected to replace the header, not append or even prepend it (though prepend will work correctly).