Deep excavation of X-forwarded-for

Transferred from: http://www.cnblogs.com/yihang/archive/2010/12/19/1910365.html

Now use Nginx to do load balancer instances have a lot of, for different applications, there are a lot of things to pay attention to, this article is to go through the CDN to do load balancing when the request header in the X-forwarded-for item in the end what happened to change. To compose a simple web shelf:

First look at the definition of x-forwarded-for:
X-forwarded-for: referred to as XFF header, which represents the client, that is, the HTTP request-side of the real IP, only when the HTTP proxy or load-balanced server is added. It is not a standard request header information as defined in the RfC and can be found in the Squid cache proxy Server development documentation for a detailed description of the item.
The standard format is as follows:
X-forwarded-for:client1, Proxy1, Proxy2
as can be seen from the standard format, x-forwarded-for Header information can have multiple, separated by commas in the middle, the first is the real client IP, the rest is once passed the proxy or load balanced IP address, after a few will appear.

According to the composition of the Web frame, it is easy to see that when the user requests through the CDN to reach the Nginx load Balancer Server, its x-forwarded-for header information should be the client IP,CDN IP. However, the situation is not the case, in general, CDN service providers for their own security considerations will make some changes to this information, only the client IP. We can use the PHP program to obtain x-forwarded-for information or through the Nginx Add header method to set the return header to view.

The following analysis of the request header to the Nginx load Balancer server, by default, Nginx does not do any processing of the x-forwarded-for header, unless the user uses the proxy_set_header parameter settings:
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;

$proxy the _add_x_forwarded_for variable contains "x-forwarded-for" in the client request header, separated from the $remote_addr with a comma, if there is no "x-forwarded-for" request header, the $ Proxy_add_x_forwarded_for equals $remote_addr.

$remote the value of the _ADDR variable is the IP of the client

There are two things that happen when Nginx sets X-forwarded-for equals $proxy_add_x_forwarded_for

1, if the request from the CDN does not set the X-forwarded-for header (usually this kind of thing will not happen), and to our here Nginx settings set it to $proxy_add_x_forwarded_for, X-forwarded-for information should be the IP of the CDN, because the client is a CDN relative to the Nginx load balancer, so the backend Web program will not be able to get the real user's IP.

2, the CDN set up the X-forwarded-for, we set up here again, and the value is $proxy_add_x_forwarded_for, then x-forwarded-for content becomes " client IP, Nginx Load Balancer Server IP"If this is the case, then the backend program through the x-forwarded-for to obtain the client IP, the comma separated by the first item can be ."

As stated in the last two points, if we know that the CDN set up x-forwarded-for information, and only the client real IP, then our nginx load Balancer server can ignore the header, let it default.

In fact, Nginx also has a $http _x_forwarded_for variable, the contents of this variable is the X-FORWARDED-FOR information in the request. If the backend obtains x-forwarded-for information program compatibility is not good (does not take into account x-forwarded-for contains multiple IP cases), it is best not to set X-forwarded-for to $proxy _add_x_ Forwarded_for. Should be set to $http _x_forwarded_for or simply not set!

Reference article:http://en.wikipedia.org/wiki/X-Forwarded-For

Deep excavation of X-forwarded-for