Reverse Proxy Security

When using nginx as reverse proxy, to determine the actual client IP
address I would need to rely on the X-Real-IP header. Since this is just
an HTTP header than can be faked, is it possible for a visitor to
include an X-Real-IP header value of their own, passing a fake IP to the
back-end server? Does nginx always overwrite this value with the one it
detects?

Thx

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,78144,78144#msg-78144

You may choose a unusual Header name.

On Fri, Apr 23, 2010 at 6:09 AM, karmaboy [email protected] wrote:

http://nginx.org/mailman/listinfo/nginx


Ren Xiaolei

On Fri, Apr 23, 2010 at 05:46, 任晓磊 [email protected] wrote:

You may choose a unusual Header name.

security by obscurity…

Thanks for the replies. Always writing is the behavior I would expect,
so I’ll test for that and go with it.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,78144,78908#msg-78908

On Thu, Apr 22, 2010 at 06:09:28PM -0400, karmaboy wrote:

When using nginx as reverse proxy, to determine the actual client IP address I would need to rely on the X-Real-IP header. Since this is just an HTTP header than can be faked, is it possible for a visitor to include an X-Real-IP header value of their own, passing a fake IP to the back-end server? Does nginx always overwrite this value with the one it detects?

Yes, nginx always overwrites a header if you set it in proxy_set_header.


Igor S.
http://sysoev.ru/en/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs