Hello! On Tue, Jan 12, 2021 at 11:14:50PM +0900, nanaya wrote:
> Should there be warning in documentation on usage of > $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies? > > I keep seeing config examples with proxy settings like this: > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > Which doesn't make sense on edge servers as there's no way to trust the > client-provided value. At best it just adds unnecessary complexity trying to > figure out the last "trustworthy" entry. > > The correct value should be just $remote_addr (and thus drop client-provided > values). > > I think $proxy_add_x_forwarded_for should only be used for proxies located > behind another proxy. > > (or someone please correct me on this) Let me be someone. The X-Forwarded-For is expected to contain multiple addresses, with the last one being from the last proxy. It is up to the reader of the header to trust or not particular values from the header. For example, in the realip module nginx provides set_real_ip_from and real_ip_recursive directives to configure which addresses to trust (see http://nginx.org/r/set_real_ip_from and http://nginx.org/r/real_ip_recursive). Similarly, in the geo module there are "proxy" and "proxy_recursive" parameters, and in the geoip module there are "geoip_proxy" and "geoip_proxy_recursive" directives. In some cases it might be a good idea to trust X-Forwarded-For values provided by clients: for example, the are some well-known public proxies, such as Opera Mini proxies. And it might be a good idea to trust almost everything if you are trying to extract some non-essential details, such as best-guess geoinformation. And it is always a good idea to preserve X-Forwarded-For provided by client, if any. In particular, it can be used in abuse reports and various investigations. If you want to use something without extra complexity, consider using X-Real-IP header instead, which is expected to contain only one client address as set by your edge/frontend servers. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
