Remote_addr and user ip?

A

Animkim2016-09-13 09:27:04

Django

Animkim, 2016-09-13 09:27:04

There is a bunch of nginx gunicorn django.
The user's ip is written to the database when the user leaves a request, it is used simply as additional information about the user.

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-Protocol $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

So, I notice that there are a lot of applications in the database from the ip of the server itself. I conducted an investigation, but I could not achieve that instead of my ip (or proxy, it doesn’t matter), the ip of the server was recorded in the database.
The ip from HTTP_X_FORWARDED_FOR is written to the database, if empty, then from HTTP_X_REAL_IP.
As I understand it, with an empty HTTP_X_FORWARDED_FOR header, nginx puts $remote_addr there.
In general, I can’t understand where the server’s ip comes from and why this does not always happen, but sometimes. Maybe someone can at least give me an idea.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

O

Oleg, 2016-09-13
@ollisso

proxy_add_x_forwarded_for is a dangerous header, because in fact, any proxy can modify it in any way.
a simple example, I set myself a local proxy and configure it so that the Pentagon's IP is written in this header. You will keep the information about what came to you from the Pentagon :)
If you use it, then you need to use it only for trusted IP addresses.