Forum: NGINX HTTP_X_FORWARDED_FOR being truncated/prefixed with a comma and no IP for some requests

2974d09ac2541e892966b762aad84943?d=identicon&s=25 scianos (Guest)
on 2013-09-19 01:51
(Received via mailing list)
Hi -

I have confirmed an unusual situation in which it appears the leading
address is being stripped from x-forwarded-for headers passed on to
downstream hosts (running Apache in this case) on very specific
requests. I
haven't been able to determine a pattern that triggers the event.

Has anyone else experienced this issue/seen anything similar? I've been
managing nginx-based services for some time and this is the first event
in
which I've seen this behavior; I am at a loss.

Kind regards,
Stu

Technical info:
Example:
HTTP_X_FORWARDED_FOR=, 10.2.8.141 SERVER_ADDR=10.5.7.112
REMOTE_ADDR=10.4.7.114
- note the leading "," on the x_forwarded_for header and the missing
leading
IP.

Configuration example:
    location / {
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;
      proxy_pass   http://backend1/;
    }
  }


Version info:
nginx version: nginx/1.2.6 (Ubuntu)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-log-path=/var/log/nginx/access.log
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi
--lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --with-pcre-jit --with-debug
--with-http_addition_module --with-http_dav_module
--with-http_geoip_module
--with-http_gzip_static_module --with-http_image_filter_module
--with-http_realip_module --with-http_stub_status_module
--with-http_ssl_module --with-http_sub_module --with-http_xslt_module
--with-ipv6 --with-sha1=/usr/include/openssl
--with-md5=/usr/include/openssl
--with-mail --with-mail_ssl_module
--add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-auth-pam
--add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-echo
--add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-upstream-fair
--add-module=/tmp/buildd/nginx-1.2.6/debian/modules/nginx-dav-ext-module

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,242970,242970#msg-242970
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2013-09-19 12:36
(Received via mailing list)
Hello!

On Wed, Sep 18, 2013 at 07:50:13PM -0400, scianos wrote:

>
> Kind regards,
> Stu
>
> Technical info:
> Example:
> HTTP_X_FORWARDED_FOR=, 10.2.8.141 SERVER_ADDR=10.5.7.112
> REMOTE_ADDR=10.4.7.114
> - note the leading "," on the x_forwarded_for header and the missing leading
> IP.

This can easily happen if an original request contains an empty
X-Forwarded-For header.  See no problem here.

--
Maxim Dounin
http://nginx.org/en/donation.html
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.