Welcome! Log In Create A New Profile

Re: Usage of $proxy_add_x_forwarded_for on edge proxies

Forum List Message List New Topic Print View

Maxim Dounin

January 12, 2021 12:48PM

Hello!

On Tue, Jan 12, 2021 at 11:14:50PM +0900, nanaya wrote:

> Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?
>
> I keep seeing config examples with proxy settings like this:
>
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>
> Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry.
>
> The correct value should be just $remote_addr (and thus drop client-provided values).
>
> I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy.
>
> (or someone please correct me on this)

Let me be someone.

The X-Forwarded-For is expected to contain multiple addresses, with
the last one being from the last proxy. It is up to the reader of
the header to trust or not particular values from the header.

For example, in the realip module nginx provides set_real_ip_from
and real_ip_recursive directives to configure which addresses to
trust (see http://nginx.org/r/set_real_ip_from and
http://nginx.org/r/real_ip_recursive). Similarly, in the geo
module there are "proxy" and "proxy_recursive" parameters, and in
the geoip module there are "geoip_proxy" and
"geoip_proxy_recursive" directives.

In some cases it might be a good idea to trust X-Forwarded-For
values provided by clients: for example, the are some well-known
public proxies, such as Opera Mini proxies. And it might be a
good idea to trust almost everything if you are trying to extract
some non-essential details, such as best-guess geoinformation.

And it is always a good idea to preserve X-Forwarded-For provided
by client, if any. In particular, it can be used in abuse reports
and various investigations.

If you want to use something without extra complexity, consider
using X-Real-IP header instead, which is expected to contain only
one client address as set by your edge/frontend servers.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Usage of $proxy_add_x_forwarded_for on edge proxies	nanaya	January 12, 2021 09:16AM
Re: Usage of $proxy_add_x_forwarded_for on edge proxies	Maxim Dounin	January 12, 2021 12:48PM
Re: Usage of $proxy_add_x_forwarded_for on edge proxies	nanaya	January 12, 2021 04:52PM
Re: Usage of $proxy_add_x_forwarded_for on edge proxies	Maxim Dounin	January 13, 2021 08:54AM
Re: Usage of $proxy_add_x_forwarded_for on edge proxies	nanaya	January 13, 2021 09:40AM
Re: Usage of $proxy_add_x_forwarded_for on edge proxies	Maxim Dounin	January 13, 2021 12:46PM
Re: Usage of $proxy_add_x_forwarded_for on edge proxies	nanaya	January 13, 2021 02:02PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

hyo

Guests: 92

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018