On Thu, Apr 22, 2010 at 06:09:28PM -0400, karmaboy wrote:
> When using nginx as reverse proxy, to determine the actual client IP address I would need to rely on the X-Real-IP header. Since this is just an HTTP header than can be faked, is it possible for a visitor to include an X-Real-IP header value of their own, passing a fake IP to the back-end server? Does nginx always overwrite this value with the one it detects?
Yes, nginx always overwrites a header if you set it in proxy_set_header.
--
Igor Sysoev
http://sysoev.ru/en/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx