Hello! On Mon, Sep 15, 2014 at 09:41:21AM -0400, ianjoneill wrote:
> Thanks for your reply. > > If I uncomment that line, the X-Forwarded-For header contains all of the IP > addresses, as shown below: > > $ sudo /usr/sbin/tcpdump -i lo -A -s 0 'tcp port 8080 and ( > ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes > 14:37:24.303617 IP localhost.50999 > localhost.8080: Flags [P.], seq > 717883991:7 > 17884206, ack 1454594695, win 4099, options [nop,nop,TS val 2599031 ecr > 2599030] > , length 215 > E...."@[email protected]".*. > WV.Z............ > .'.w.'.vHEAD / HTTP/1.0 > Host: localhost > X-Real-IP: 10.0.2.2 > X-Forwarded-For: 1.1.1.1, 2.2.2.2, 10.0.2.2 > Connection: close > User-Agent: curl/7.30.0 > Accept: */* > > i.e. I am getting the spoofed addresses and the real one. As I understood > it, I should only get the real ip, i.e. 10.0.2.2. No, your understanding is wrong. The line in question will add the IP address of a client to the X-Forwarded-For list. It's up to a backend to either trust or not individual addresses in this list (and realip module is an example how this can be implemented). If you want nginx to pass only the IP of the client, without preserving previous contents of the X-Forwarded-For header, use $remote_addr variable instead of $proxy_add_x_forwarded_for: proxy_set_header X-Forwarded-For $remote_addr; Or just use X-Real-Ip as already set in your config to $remote_addr. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
