Thanks for your reply. If I uncomment that line, the X-Forwarded-For header contains all of the IP addresses, as shown below:
$ sudo /usr/sbin/tcpdump -i lo -A -s 0 'tcp port 8080 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes 14:37:24.303617 IP localhost.50999 > localhost.8080: Flags [P.], seq 717883991:7 17884206, ack 1454594695, win 4099, options [nop,nop,TS val 2599031 ecr 2599030] , length 215 E...."@[email protected]".*. WV.Z............ .'.w.'.vHEAD / HTTP/1.0 Host: localhost X-Real-IP: 10.0.2.2 X-Forwarded-For: 1.1.1.1, 2.2.2.2, 10.0.2.2 Connection: close User-Agent: curl/7.30.0 Accept: */* i.e. I am getting the spoofed addresses and the real one. As I understood it, I should only get the real ip, i.e. 10.0.2.2. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253247,253250#msg-253250 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
