Confused about X-Forwarded-For

I am using nginx as a load balancing proxy to pass requests using
proxy_pass to upstream servers running my web app.

These requests may or may not come in with X-Forwarded-For, depending on
whether the visitor is using a proxy.

On those upstream servers, within my web app, I need to get the IP
address of the client browser.

Without nginx in the picture, my logic would be as follows:

  • if X-Forwarded-For is set in the header, get the FIRST IP address in
    the list from X-Forwarded-For
  • if there is no X-Forwarded-For in the header, use the REMOTE_ADDR
    environment variable.

Now once I put nginx into the mix in front of the upstream servers, this
is where I am getting confused. I have seen examples that show this:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

HOWEVER, I think I would then have to change my logic to look for
X-Forwarded-For, and if not found, look for X-Real-IP.

What I would like to do instead is to just to have nginx add the real IP
($remote_addr) to the X-Forwarded-For header. This way my app can just
always look for the first entry in the X-Forwarded-For list of IPs to
get the IP I need.

So, I would like to know if the following would work to do this trick:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;

Would that give me the result I am looking for by putting the real IP in
the X-Forwarded-For header? And if that header is present, would it add
it to the list or clobber previous entries? Perhaps instead it needs to
be written instead as:
proxy_set_header X-Forwarded-For

but in the event there was nothing in the X-Forwarded-For header it
would wind up giving me a: “X-Forwarded-For ,x.y.z.a” and that leading
comma would mess me up.

Ideas? Thank you!



Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ