HTTP_X_FORWARDED_FOR being truncated/prefixed with a comma and no IP for some requests

Server NGINX
1

Hi -

I have confirmed an unusual situation in which it appears the leading
address is being stripped from x-forwarded-for headers passed on to
downstream hosts (running Apache in this case) on very specific
requests. I
haven’t been able to determine a pattern that triggers the event.

Has anyone else experienced this issue/seen anything similar? I’ve been
managing nginx-based services for some time and this is the first event
in
which I’ve seen this behavior; I am at a loss.

Kind regards,
Stu

Technical info:
Example:
HTTP_X_FORWARDED_FOR=, 10.2.8.141 SERVER_ADDR=10.5.7.112
REMOTE_ADDR=10.4.7.114

  • note the leading “,” on the x_forwarded_for header and the missing
    leading
    IP.

Configuration example:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://backend1/;
}
}

Version info:
nginx version: nginx/1.2.6 (Ubuntu)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-log-path=/var/log/nginx/access.log
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi
–lock-path=/var/lock/nginx.lock
–pid-path=/run/nginx.pid --with-pcre-jit --with-debug
–with-http_addition_module --with-http_dav_module
–with-http_geoip_module
–with-http_gzip_static_module --with-http_image_filter_module
–with-http_realip_module --with-http_stub_status_module
–with-http_ssl_module --with-http_sub_module --with-http_xslt_module
–with-ipv6 --with-sha1=/usr/include/openssl
–with-md5=/usr/include/openssl
–with-mail --with-mail_ssl_module
–add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-auth-pam
–add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-echo
–add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-upstream-fair
–add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-dav-ext-module

Posted at Nginx Forum:

2

Hello!

On Wed, Sep 18, 2013 at 07:50:13PM -0400, scianos wrote:

Kind regards,
Stu

Technical info:
Example:
HTTP_X_FORWARDED_FOR=, 10.2.8.141 SERVER_ADDR=10.5.7.112
REMOTE_ADDR=10.4.7.114

  • note the leading “,” on the x_forwarded_for header and the missing leading
    IP.

This can easily happen if an original request contains an empty
X-Forwarded-For header. See no problem here.


Maxim D.
http://nginx.org/en/donation.html