Welcome! Log In Create A New Profile

Advanced

Re: Nginx Map how to check value if empty

Francis Daly
March 07, 2017 04:26PM
On Mon, Mar 06, 2017 at 02:12:40PM -0500, c0nw0nk wrote:

Hi there,

good that you've found some more answers.

There's still some to be worked on, though, I suspect.

> So to explain how to get the origin IP for each method someone could be
> using here is the list :
>
> Cloudflares proxied traffic :
> sets the header $http_cf_connecting_ip so use this header to get the
> Client's real IP

Stock nginx has the realip module which will allow you to use a value
from one specific http header, as if it were the connecting address.

And stock nginx knows that the client can set any header to any value,
so it can be configured to only believe the value if it was set by a
trusted source. (More or less).

It looks like this $http_cf_connecting_ip contains a single IP address,
which is the address of the thing that connected to Cloudflare -- either
the client, or a proxy that it uses. And it can be trusted, if the
incoming request went through the Cloudflare reverse proxy. (And,
presumably, it is spoofed if the incoming request did not go through
the Cloudflare reverse proxy.)

> Traffic from cloudflare via the DNS only connections :
> These would not have the $http_cf_connecting_ip header present.
> But those connections hit a load balancing ip what sets the header
> $http_x_forwarded_for header so that is the way to get the Clients real ip
> via those connections.

$http_x_forwarded_for is common enough; it can hold a list of IP
addresses. The realip module knows how to deal with it.

Whatever method you use to read it, you should be aware that the
header is not necessarily exactly one IP address. And the client can
set the header to any initial value; the "load balancing ip" (unless
documented otherwise) probably creates-or-adds-to the header, rather
than creates-or-replaces.

> And then some connections don't hit my load balancing IP and go directly to
> a specific origin server these connections can use $remote_addr.

They can. But those connections might also have $http_x_forwarded_for. And
$http_cf_connecting_ip. So you will need a reliable way of distinguishing
between case#1 and case#2 and case#3, if you care about that.

(Probably, the majority of "innocent" requests will not have spoofed
headers. If that is good enough for what you are trying to achieve,
then you're ok.)

> My Solution / conclusion :
>
> How to come up with a fix that allows me to obtain the real IP in a dynamic
> situation like this ?

I would suggest one of:

* go to extra measures to cause there to exist a new feature in nginx,
such that the realip module will look at more than one header to determine
the address to use

or

* recognise that if Cloudflare put in a CF-Connecting-IP header, they
probably also put in a X-Forwarded-For header; ignore CF-Connecting-IP
and just use the realip module with X-Forwarded-For.

http://nginx.org/r/real_ip_header and the rest of that page.

> I have solved my issue with the following.

This will work, with the above caveats.

If you have time to experiment, you may find that the realip module does
something similar in a less fragile way.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx Map how to check value if empty

c0nw0nk March 03, 2017 10:47AM

Re: Nginx Map how to check value if empty

Francis Daly March 04, 2017 03:16AM

Re: Nginx Map how to check value if empty

c0nw0nk March 04, 2017 05:35PM

Re: Nginx Map how to check value if empty

c0nw0nk March 05, 2017 04:00PM

Re: Nginx Map how to check value if empty

B.R. via nginx March 05, 2017 04:40PM

Re: Nginx Map how to check value if empty

c0nw0nk March 05, 2017 04:50PM

Re: Nginx Map how to check value if empty

B.R. via nginx March 06, 2017 07:04AM

Re: Nginx Map how to check value if empty

c0nw0nk March 06, 2017 02:12PM

Re: Nginx Map how to check value if empty

Francis Daly March 07, 2017 04:26PM

Re: Nginx Map how to check value if empty

c0nw0nk March 07, 2017 06:44PM

Re: Nginx Map how to check value if empty

c0nw0nk March 08, 2017 01:56AM

Re: Nginx Map how to check value if empty

B.R. via nginx March 08, 2017 04:42AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 105
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready