Hi Michael,

You should be able to get a list of subnets from your CDN, which you
can add to 'set_real_ip_from'. This way, you'll get the first
untrusted IP in the chain -- the scan works backwards, so even if your
XFF looked like:

X-Forwarded-For: proxy1 proxy2 client1

You'll get 'client1' if you add 'proxy1' or 'proxy2' to 'set_real_ip_from'.

And if your XFF looked like:

X-Forwarded-For: client1 proxy1 proxy2

You'll get 'client1' too -- hence the patch. :)

Regards,
Omar

On Thu, Dec 2, 2010 at 2:26 PM, Michael Shadle <mike503@gmail.com> wrote:
> On Wed, Dec 1, 2010 at 7:23 PM, Omar Kilani <omar.kilani@gmail.com> wrote:
>
>> The problem is that nginx doesn't do the "first IP in the header which
>> is not trusted" part -- it always returns the last IP in the
>> X-Forwarded-For header, no matter what.
>
> we have an issue where our CDN gives us the reverse XFF header - we
> really want the LAST ip, not the first one (or vice versa) and nginx
> gives us the first one which doesn't help :(
>
> making the realip behavior more configurable gets a big +1 from me.
> not sure if this is as configurable as it could be though.
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx