Feature Request: write error logs when detecting duplicate http headers

Hi:

When duplicate http headers occur(e.g., two X-Forwarded-For headers),
nginx
will use the first instance silently. This means internal variables like
$http_x_forwarded_for is not entirely correct, users have to capture
packets in the network layer to find out the truth. This is a lot of
inconvenient compared to customize log format.

Also, for headers like “X-Forwarded-For”, attackers can intentionaly
inject
serveral spoofed ip addresses.

Although nginx cannot possibly known which one is more important than
the
others, it MAY alert user by logging “duplicated headers detected,
header:value1, value2, … value N”.

Currently, we use nginx-lua module to detect duplicate headers, like:

itable = ngx.req.get_headers()[“X-Forwarded-For”]
for k, v in iparis(itable) do
– process duplicate header
end

Hi,

Also, for headers like “X-Forwarded-For”, attackers can intentionaly
inject serveral spoofed ip addresses.

Of course, that’s why you should never trust the data that comes from
the
systems outside of your control.

Best regards,
Piotr S. < [email protected] >

On Tue, Jun 7, 2011 at 4:21 PM, 杨镭 [email protected] wrote:

Although nginx cannot possibly known which one is more important than the
others, it MAY alert user by logging “duplicated headers detected,
header:value1, value2, … value N”.

It is not a matter of “knowing which is more important”, the spec is
clear
which headers can be repeated and which are invalid, and for this header
repeating it is invalid. You should make sure you filter any headers you
are
using internally like X-Forwarded-For anyway as a security measure…

thanks,recently i ran into this problem
I saw you this post, help me with this problem

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,204689,267222#msg-267222

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs