Hello!

On Tue, Dec 29, 2009 at 04:14:58PM -0800, Michael Shadle wrote:

> On Tue, Dec 29, 2009 at 4:07 PM, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> > The last one is the address added by last proxy.  As we trust last
> > proxy - we use address added by it.
> >
> > The first address is the address as it came from client.  You
> > probably don't want to trust it at all.
> >
> > If you want to pass original ip address of client through multiple
> > proxies - you just need to use real_ip_from / proxy_set_header
> > consistently on all proxies in chain.
>
> It appears that the order we're receiving it is from multiple
> X-Forwarded-For addresses...
>
> This is from:
>
> corporate network proxy -> CDN -> nginx server
>
> The corporate network proxy passes on an IP in X-Forwarded-For, then
> the CDN seems to use X-Forwarded-For as well. nginx seems to get them
> but the order is opposite. Are you sure this logic is proper? In this
> experience it is actually backwards.

http://en.wikipedia.org/wiki/X-Forwarded-For

> It's not actually a corporate proxy or CDN we have any control over.
> We're just inheriting these headers.

Well, as long as you have no control over proxies in chain - you
probably want to iterate over addresses in X-Forwarded-For from
last to first until you find one which isn't trusted. This isn't
something nginx is able to do right now.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx