Login/Register
X-Real-IP header confusion in nginx
Asked Answered
nginxheaderip-addressidentification
K

0

12

My nginx config is - 

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    set_real_ip_from 55.55.55.1;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;


I would like to know if I understand this config correctly. Let us say a user has a machine -

1. At ip 11.11.11.11
2. The user is behind a proxy which has an IP 22.22.22.22
3. User sends a request, which reaches the load balancer at 55.55.55.1, which routes it to nginx.

Then, once nginx has done its work, the request will have following headers reaching the server -
a. X-Forwarded-For: [11.11.11.11, 22.22.22.22, 55.55.55.1]
b. X-Real-IP: 22.22.22.22 (since nginx will recurse on X-Forwarded-For from end to array to start of array, and find the first untrusted ip)
c. If X-Forwarded-For does not exist in a request, then $remote_addr value is used in X-Real-IP header, otherwise it is over-written by recursing on X-Forwarded-For header array, taking into consideration set_real_ip_from rule(s).

Please let me know if points 'a', 'b' and 'c' are correct or incorrect. If incorrect, I would like to know the reason why?

Kherson answered 24/1, 2018 at 23:42 Comment(4)
127.0.0.1 is a loopback address - so it cannot be the internet-facing address of your load balancer. And assuming that every proxy in the chain appends to the X-Forwarded-For header.Tami
@RichardSmith Edited!Kherson
Your understanding matches my understanding. Are you experiencing a specific problem?Tami
Ok, thanks. I was not sure if I understood it correctly!Kherson

© 2022 - 2024 — McMap. All rights reserved.