How to use the realip module in Nginx basic learning

Preface

There are two types of nginx modules, official and third-party. We use the command nginx -V to view the nginx installation information, and we can see the following module information about the --with nginx startup loading.

realip module

Purpose: When the local Nginx is in the reverse proxy backend, the user's real IP address can be obtained.

Usage: The realip function requires Nginx to add the ngx_http_realip_module module, which is not compiled by default. If you need to add it, please add the --with-http_realip_module option to enable it during compilation.

realip scope

set_real_ip_from, real_ip_header and real_ip_recursive can all be used in http, server and location zone configurations.

Explanation of some realip parameters

• set_real_ip_from: Set the reverse proxy server, that is, trust the server IP
• real_ip_header X-Forwarded-For: The user's real IP address is in the X-Forwarded-For request header.
• real_ip_recursive :
  • off: The last IP in the HTTP header specified by real_ip_header will be used as the real IP
  • on: The last IP in the HTTP header specified by real_ip_header that is not a trusted server will be treated as the real IP
    

Explanation of X-Forwarded-For, X-Real-IP, and Remote Address in the http header

X-Forwarded-For is located in the HTTP request header and is an extended header of HTTP, used to indicate the real IP address of the HTTP request end.

The format is as follows:

X-Forwarded-For: client, proxy1, proxy2

Nginx proxy is generally configured as:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

explain:

• X-Forwarded-For: Nginx appends it, but the front part comes from the request header received by nginx, so this part is not very credible. Only those that conform to the IP format can be used, otherwise it is easy to cause XSS or SQL injection vulnerabilities.
• Remote Address: The HTTP protocol does not have the concept of IP. The Remote Address comes from the TCP connection and indicates the IP of the device that establishes a TCP connection with the server. Therefore, the Remote Address cannot be forged.
• X-Real-IP: HTTP proxy is used to indicate the IP address of the device that establishes a TCP connection with it, which may be another proxy or the real requesting end.
  

Realip function example

Here is a simple architecture diagram:

Assumption 1:

1. If Nginx does not use the realip module, the X-Forwarded-For request in the second Nginx is 1.1.1.1, but the remote_addr address is 2.2.2.2. At this time, the application service can obtain the user's real IP through the X-Forwarded-For field. However, there is a risk here. If there are multiple layers of reverse proxy services in the middle, it will be impossible to obtain the unique user's real IP.

2. If Nginx uses the realip module and is configured as follows, Nginx will take the last IP in X-Forwarded-For, which is 2.2.2.2, as the real IP. Finally, the address obtained by the application service is also 2.2.2.2, but in fact this is not the user's IP.

set_real_ip_from 2.2.2.2;
set_real_ip_from 2.2.2.3; 
real_ip_header X-Forwarded-For; 
real_ip_recursive off;

3. If Nginx uses the realip module and is set up as follows; since 2.2.2.2 is a trusted server IP, Nginx will continue to search forward and find that 1.1.1.1 is not a trusted server IP, it will consider it to be the real IP. But the fact is that 1.1.1.1 is the user's IP. Finally, the application service also obtains the unique real IP of the user.

set_real_ip_from 2.2.2.2;
set_real_ip_from 2.2.2.3; 
real_ip_header X-Forwarded-For; 
real_ip_recursive on;

Summarize

This is the end of this article about the use of realip module in Nginx basic learning. For more information about the use of Nginx realip module, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!