Hello! On Thu, Feb 09, 2017 at 05:49:13PM -0500, Paul Nickerson wrote:
> I've got the config below. I don't have these settings reconfigured > anywhere else. My understanding is that no matter anything else at all > anywhere else, and no matter whether the X-Forwarded-For field in the HTTP > header has one or multiple IP addresses, or isn't even present, > $remote_addr will not be altered. > > set_real_ip_from 0.0.0.0/0; > real_ip_header X-Forwarded-For; > real_ip_recursive on; > > From what I read, "real_ip_recursive on" means that $remote_addr can only > be set to an IP address that is not in the range set by set_real_ip_from. > And since that's 0.0.0.0/0, there is no IP that can meet this requirement. > > Am I correct in my analysis? CIDR 0.0.0.0/0 means 0.0.0.0 - 255.255.255.255, so any IP address is allowed to change the IP via X-Forwarded-For. You can find more information about CIDR notation here: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing And real_ip_recursive switched on means that this happens recursively. As a result, with the configuration in question nginx will use the first address in X-Forwarded-For provided, if any (assuming all addresses are valid). Note that "set_real_ip_from 0.0.0.0/0" makes client's address as seen by nginx easily spoofable by any client, and it is generally a bad idea to use it in production. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
