When duplicate http headers occur(e.g., two X-Forwarded-For headers),
will use the first instance silently. This means internal variables like
$http_x_forwarded_for is not entirely correct, users have to capture
packets in the network layer to find out the truth. This is a lot of
inconvenient compared to customize log format.
Also, for headers like “X-Forwarded-For”, attackers can intentionaly
serveral spoofed ip addresses.
Although nginx cannot possibly known which one is more important than
others, it MAY alert user by logging “duplicated headers detected,
header:value1, value2, … value N”.
Currently, we use nginx-lua module to detect duplicate headers, like:
itable = ngx.req.get_headers()[“X-Forwarded-For”]
for k, v in iparis(itable) do
– process duplicate header