X-forwarded-for Deep Mining

There are already many instances using nginx for load balancing. For different application scenarios, there are still many things to be noted about, this article is about how the X-forwarded-for item in the Request Header changes when it reaches nginx for Load Balancing after CDN. For a simple Web architecture:

 

 

 

 

 

Let's take a look at the definition of X-forwarded-:
X-forwarded-for: the xFF header, which represents the real IP address of the client, that is, the HTTP request end. This header is added only when the HTTP proxy or Server Load balancer is passed. It is not the standard request header information defined in RFC. You can find this item in the Squid cache proxy server development documentation.
The standard format is as follows:
X-forwarded-for: Client1, proxy1, proxy2
From the standard format, we can see that,There can be multiple X-forwarded-for headers separated by commas. The first item is the real client IP address, and the rest is the IP address of the proxy or Server Load balancer that has been used, A few will appear after a few.

According to the Web architecture diagram, it is easy to see that when a user request reaches the nginx server after passing through the CDNThe X-forwarded-for header information should beClient IP, cdn ip.However, this is not the case. Generally, the CDN service provider will make some changes to this information for its own security considerations, only retaining the Client IP address. We can use the PHP program to obtainX-forwarded-You can use the Add header method of nginx to set the return header.

The following is an analysis of the request header arriving at the nginx Server Load balancer server. By default, nginx does notX-forwarded-for header for any processing, unless you useProxy_set_header parameter settings:
Proxy_set_header X-forwarded-for $ proxy_add_x_forwarded_for;

$ Proxy_add_x_forwarded_for variable contains "X-forwarded-for" in the client request header, which is separated from $ remote_addr by commas. If no "X-forwarded-for" Request Header exists, then $ proxy_add_x_forwarded_for is equal to $ remote_addr.

The value of the $ remote_addr variable is the Client IP address.

When nginx is set to X-forwarded-for to $ proxy_add_x_forwarded_for, there will be two situations.

1. If the X-forwarded-for header is not set for a request from CDN (this will not happen normally), and nginx sets it to $ proxy_add_x_forwarded_for, the X-forwarded-for information should be the cdn ip address, because the client is CDN as opposed to nginx load balancing. In this case, the backend web programs cannot obtain the IP addresses of real users.

2. x-forwarded-for is set for CDN. Here we set it again and the value is $ proxy_add_x_forwarded_for. Then, the content of X-forwarded-for is changed to "Client IP address, the IP address of the nginx Server Load balancer "if this is the case, the backend program obtains the IP address of the client through X-forwarded-for, and the first item is separated by commas.

As mentioned above, if we know that CDN has configured X-forwarded-for information and only the real IP address of the client, then our nginx Server Load balancer server can ignore this header, make it default.

In fact, there is a $ http_x_forwarded_for variable in nginx. The content saved in this variable is the X-forwarded-for information in the request. If the backend program that obtains the X-forwarded-for information has poor compatibility (not considering that X-forwarded-for contains multiple IP addresses ), it is best not to set X-forwarded-for to $ proxy_add_x_forwarded_for. It should be set to $ http_x_forwarded_for or simply not!

Reference: http://en.wikipedia.org/wiki/X-Forwarded-For

 

 

Reprinted: http://www.cnblogs.com/yihang/archive/2010/12/19/1910365.html