Can real_ip_header's behavior be altered slightly?

wickie · December 29, 2009, 10:33pm

Currently there’s a slight annoyance (not sure I’d call it a bug) -
we’re behind a CDN and the wrong IP is being assigned from
real_ip_header, because we’re getting multiple IP addresses. Can the
behavior be altered for this kind of case?

in PHP, when dumping $_SERVER:

[“HTTP_VIA”]=>
string(127) “1.1 proxy1.company1.com, 1.1
somehost2.cdncompany.net:8000 (EdgePrism/3.7.2.8), 1.1
somehost1.cdncompany.net:80 (EdgePrism/3.7.2.8)”

[“HTTP_X_FORWARDED_FOR”]=>
string(31) “14.13.13.70, 20.11.18.105”

[“REMOTE_ADDR”]=>
string(15) “20.11.18.105”

It shows the right address first in the X-Forwarded-For, but the other
addresses second, but nginx is grabbing the LAST ip in the list.

Can we make the real_ip_header trust the FIRST ip only? something like
if the header supplied in “real_ip_header” includes “,” to take only
the string up to the “,”?

In PHP (pseudocode) it’d be something like:

if(strstr($_SERVER[‘HTTP_X_FORWARDED_FOR’], ‘,’)) {
$ip = substr($_SERVER[‘HTTP_X_FORWARDED_FOR’], 0,
strpos($_SERVER[‘HTTP_X_FORWARDED_FOR’], ‘,’));
}

I think it can be almost mapped directly to C, since some of those
functions are in directly C, I think

wickie · December 30, 2009, 1:08am

Hello!

On Tue, Dec 29, 2009 at 01:32:48PM -0800, Michael S. wrote:

somehost1.cdncompany.net:80 (EdgePrism/3.7.2.8)"

[“HTTP_X_FORWARDED_FOR”]=>
string(31) “14.13.13.70, 20.11.18.105”

[“REMOTE_ADDR”]=>
string(15) “20.11.18.105”

It shows the right address first in the X-Forwarded-For, but the other
addresses second, but nginx is grabbing the LAST ip in the list.

The last one is the address added by last proxy. As we trust last
proxy - we use address added by it.

The first address is the address as it came from client. You
probably don’t want to trust it at all.

If you want to pass original ip address of client through multiple
proxies - you just need to use real_ip_from / proxy_set_header
consistently on all proxies in chain.

Maxim D.

wickie · December 30, 2009, 1:33am

Hello!

On Tue, Dec 29, 2009 at 04:14:58PM -0800, Michael S. wrote:

consistently on all proxies in chain.
but the order is opposite. Are you sure this logic is proper? In this
experience it is actually backwards.

It’s not actually a corporate proxy or CDN we have any control over.
We’re just inheriting these headers.

Well, as long as you have no control over proxies in chain - you
probably want to iterate over addresses in X-Forwarded-For from
last to first until you find one which isn’t trusted. This isn’t
something nginx is able to do right now.

Maxim D.

wickie · December 30, 2009, 1:18am

On Tue, Dec 29, 2009 at 4:07 PM, Maxim D. [email protected]
wrote:

The last one is the address added by last proxy. Â As we trust last
proxy - we use address added by it.

The first address is the address as it came from client. Â You
probably don’t want to trust it at all.

If you want to pass original ip address of client through multiple
proxies - you just need to use real_ip_from / proxy_set_header
consistently on all proxies in chain.

It appears that the order we’re receiving it is from multiple
X-Forwarded-For addresses…

This is from:

corporate network proxy → CDN → nginx server

The corporate network proxy passes on an IP in X-Forwarded-For, then
the CDN seems to use X-Forwarded-For as well. nginx seems to get them
but the order is opposite. Are you sure this logic is proper? In this
experience it is actually backwards.

It’s not actually a corporate proxy or CDN we have any control over.
We’re just inheriting these headers.