Hello!

On Mon, Sep 15, 2014 at 09:41:21AM -0400, ianjoneill wrote:

> Thanks for your reply.
>
> If I uncomment that line, the X-Forwarded-For header contains all of the IP
> addresses, as shown below:
>
> $ sudo /usr/sbin/tcpdump -i lo -A -s 0 'tcp port 8080 and (
> ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:37:24.303617 IP localhost.50999 > localhost.8080: Flags [P.], seq
> 717883991:7
> 17884206, ack 1454594695, win 4099, options [nop,nop,TS val 2599031 ecr
> 2599030]
> , length 215
> E...."@.@............7".*.
> WV.Z............
> .'.w.'.vHEAD / HTTP/1.0
> Host: localhost
> X-Real-IP: 10.0.2.2
> X-Forwarded-For: 1.1.1.1, 2.2.2.2, 10.0.2.2
> Connection: close
> User-Agent: curl/7.30.0
> Accept: */*
>
> i.e. I am getting the spoofed addresses and the real one. As I understood
> it, I should only get the real ip, i.e. 10.0.2.2.

No, your understanding is wrong. The line in question will add
the IP address of a client to the X-Forwarded-For list. It's up
to a backend to either trust or not individual addresses in this
list (and realip module is an example how this can be
implemented).

If you want nginx to pass only the IP of the client, without
preserving previous contents of the X-Forwarded-For header, use
$remote_addr variable instead of $proxy_add_x_forwarded_for:

proxy_set_header X-Forwarded-For $remote_addr;

Or just use X-Real-Ip as already set in your config to
$remote_addr.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx