Welcome! Log In Create A New Profile

Re: Reverse Proxy Security

Forum List Message List New Topic Print View

Igor Sysoev

April 23, 2010 02:44AM

Admin
Registered: 15 years ago
Posts: 4,579

On Thu, Apr 22, 2010 at 06:09:28PM -0400, karmaboy wrote:

> When using nginx as reverse proxy, to determine the actual client IP address I would need to rely on the X-Real-IP header. Since this is just an HTTP header than can be faked, is it possible for a visitor to include an X-Real-IP header value of their own, passing a fake IP to the back-end server? Does nginx always overwrite this value with the one it detects?

Yes, nginx always overwrites a header if you set it in proxy_set_header.

--
Igor Sysoev
http://sysoev.ru/en/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Reverse Proxy Security	karmaboy	April 22, 2010 02:15PM
Re: Reverse Proxy Security	任晓磊	April 22, 2010 11:50PM
Re: Reverse Proxy Security	Alejandro Mery	April 23, 2010 02:36AM
Re: Reverse Proxy Security	Igor Sysoev	April 23, 2010 02:44AM
Re: Reverse Proxy Security	karmaboy	April 24, 2010 03:26PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 319

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018