When using nginx as reverse proxy, to determine the actual client IP
address I would need to rely on the X-Real-IP header. Since this is just
an HTTP header than can be faked, is it possible for a visitor to
include an X-Real-IP header value of their own, passing a fake IP to the
back-end server? Does nginx always overwrite this value with the one it
detects?
Thx
Posted at Nginx Forum:
You may choose a unusual Header name.
On Fri, Apr 23, 2010 at 6:09 AM, karmaboy [email protected] wrote:
–
Ren Xiaolei
On Fri, Apr 23, 2010 at 05:46, 任晓磊 [email protected] wrote:
You may choose a unusual Header name.
security by obscurity…
Thanks for the replies. Always writing is the behavior I would expect,
so I’ll test for that and go with it.
Posted at Nginx Forum:
On Thu, Apr 22, 2010 at 06:09:28PM -0400, karmaboy wrote:
When using nginx as reverse proxy, to determine the actual client IP address I would need to rely on the X-Real-IP header. Since this is just an HTTP header than can be faked, is it possible for a visitor to include an X-Real-IP header value of their own, passing a fake IP to the back-end server? Does nginx always overwrite this value with the one it detects?
Yes, nginx always overwrites a header if you set it in proxy_set_header.
–
Igor S.
http://sysoev.ru/en/
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs