Parse HTTP_X_FORWARDED_FOR content or not?

R

Ruslan Khoroshkevich2018-03-20 13:39:02

PHP

Ruslan Khoroshkevich, 2018-03-20 13:39:02

Good afternoon.
There is a domain, record And corresponds to ip1. On ip1 there is a proxy nginx that makes an entry like:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

and transfers control to ip2. When using a proxy up to ip1, such as chrome compression, HTTP_X_REAL_IP contains the ip of the proxy. Disable compression and HTTP_X_REAL_IP already contains the user's real ip.
At the same time, HTTP_X_FORWARDED_FOR always contains one or more ip separated by a comma, while the first is always the client's ip.
The essence of the question:
Is it worth checking additional fields where ip can lie, or is it easier to just parse the contents of HTTP_X_FORWARDED_FOR ?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

SagePtr, 2018-03-20
@Zezst

X-Forwarded-For contains a chain of addresses that were passed by the client, each subsequent proxy in the chain (if configured so) adds the address from which the request was made. Accordingly, there can be no trust in these addresses, the client can enter anything there.
X-Real-IP is the IP address from which the request to nginx was made. Trust in it is possible if the backend cannot be requested bypassing your nginx (otherwise, anything can be passed there too).