You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "ipanocloud (via GitHub)" <gi...@apache.org> on 2023/03/26 09:20:16 UTC
[GitHub] [apisix] ipanocloud opened a new issue, #9168: bug: X-Forwarded-For logic error in real-ip plugin
ipanocloud opened a new issue, #9168:
URL: https://github.com/apache/apisix/issues/9168
### Current Behavior
When there are multiple IPs in XFF, real-ip will use the last IP as the source IP.
### Expected Behavior
remote-addr: 10.200.193.44
### Error Logs
none
### Steps to Reproduce
1. apisix route config
`"plugins": {
"real-ip": {
"disable": false,
"source": "http_x_forwarded_for"
},
"response-rewrite": {
"disable": false,
"headers": {
"remote_addr": "$remote_addr",
"remote_port": "$remote_port"
}
}
}`
2.nginx access log
`"x-real-ip":"10.200.193.44",
"x-forwarded-for":"10.200.193.44, 10.182.40.33",
"x-forwarded-host":"snc-manage-dev.zeekrlife.com",
"x-forwarded-port":"80",
"x-forwarded-proto":"http",
"host":"snc-manage-dev.zeekrlife.com",
"x-original-forwarded-for":"10.200.193.44",
"remoteip":"10.200.193.44",`
3. response log
remote-addr: 10.182.40.33
remote-port: 58494
### Environment
- APISIX version (run `apisix version`): 2.15.0
- Operating system (run `uname -a`): Linux apisix-web-67fbf9465b-hccgr 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 Linux
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`): openresty/1.21.4.1
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): 3.5.0
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] bug: X-Forwarded-For logic error in real-ip plugin [apisix]
Posted by "Top-mkx (via GitHub)" <gi...@apache.org>.
Top-mkx commented on issue #9168:
URL: https://github.com/apache/apisix/issues/9168#issuecomment-1983045651
> > Please have a look at trusted_addresses and recursive configuration. You need to set 10.182.40.33 as the trusted address, so that the real-ip plugin will continue to search forward, which is consistent with the logic of the ngx_http_realip_module module. http://nginx.org/en/docs/http/ngx_http_realip_module.html请查看trusted_addresses和递归配置。您需要将10.182.40.33设置为可信地址,这样real-ip插件会继续向前搜索,这与ngx_http_realip_module模块的逻辑一致。http://nginx.org/en/docs/http/ngx_http_realip_module.html
>
> for example: "x-forwarded-for":"101.37.117.213, 120.27.173.47, 10.182.40.32"例如:“x-forwarded-for”:“101.37.117.213,120.27.173.47,10.182.40.32“ except for the first one, Each one is added to the trust list ? Why not take the first one. 除了第一个,每个人都被加入信任名单了吗为什么不选第一个。
>
> > Please have a look at trusted_addresses and recursive configuration. You need to set 10.182.40.33 as the trusted address, so that the real-ip plugin will continue to search forward, which is consistent with the logic of the ngx_http_realip_module module. http://nginx.org/en/docs/http/ngx_http_realip_module.html请查看trusted_addresses和递归配置。您需要将10.182.40.33设置为可信地址,这样real-ip插件会继续向前搜索,这与ngx_http_realip_module模块的逻辑一致。http://nginx.org/en/docs/http/ngx_http_realip_module.html
>
> for example: "x-forwarded-for":"101.37.117.213, 120.27.173.47, 10.182.40.32"例如:“x-forwarded-for”:“101.37.117.213,120.27.173.47,10.182.40.32“ except for the first one, Each one is added to the trust list ? Why not take the first one. 除了第一个,每个人都被加入信任名单了吗为什么不选第一个。
请问该问题解决了,我也遇见同样的问题,
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ipanocloud commented on issue #9168: bug: X-Forwarded-For logic error in real-ip plugin
Posted by "ipanocloud (via GitHub)" <gi...@apache.org>.
ipanocloud commented on issue #9168:
URL: https://github.com/apache/apisix/issues/9168#issuecomment-1484760429
> Please have a look at trusted_addresses and recursive configuration. You need to set 10.182.40.33 as the trusted address, so that the real-ip plugin will continue to search forward, which is consistent with the logic of the ngx_http_realip_module module. http://nginx.org/en/docs/http/ngx_http_realip_module.html
for example: "x-forwarded-for":"101.37.117.213, 120.27.173.47, 10.182.40.32"
except for the first one, Each one is added to the trust list ? Why not take the first one.
> Please have a look at trusted_addresses and recursive configuration. You need to set 10.182.40.33 as the trusted address, so that the real-ip plugin will continue to search forward, which is consistent with the logic of the ngx_http_realip_module module. http://nginx.org/en/docs/http/ngx_http_realip_module.html
for example: "x-forwarded-for":"101.37.117.213, 120.27.173.47, 10.182.40.32"
except for the first one, Each one is added to the trust list ? Why not take the first one.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kellyseeme commented on issue #9168: bug: X-Forwarded-For logic error in real-ip plugin
Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.
kellyseeme commented on issue #9168:
URL: https://github.com/apache/apisix/issues/9168#issuecomment-1525363268
> Please have a look at trusted_addresses and recursive configuration. You need to set 10.182.40.33 as the trusted address, so that the real-ip plugin will continue to search forward, which is consistent with the logic of the ngx_http_realip_module module. http://nginx.org/en/docs/http/ngx_http_realip_module.html
hello,can i settings is wrong?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] soulbird commented on issue #9168: bug: X-Forwarded-For logic error in real-ip plugin
Posted by "soulbird (via GitHub)" <gi...@apache.org>.
soulbird commented on issue #9168:
URL: https://github.com/apache/apisix/issues/9168#issuecomment-1484349115
Please have a look at trusted_addresses and recursive configuration. You need to set 10.182.40.33 as the trusted address, so that the real-ip plugin will continue to search forward, which is consistent with the logic of the ngx_http_realip_module module. http://nginx.org/en/docs/http/ngx_http_realip_module.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kellyseeme commented on issue #9168: bug: X-Forwarded-For logic error in real-ip plugin
Posted by "kellyseeme (via GitHub)" <gi...@apache.org>.
kellyseeme commented on issue #9168:
URL: https://github.com/apache/apisix/issues/9168#issuecomment-1520401563
> except for the first one, Each one is added to the trust list ? Why not take the first one.
>
> >
I have try to set the setting:
`{
"real-ip": {
"recursive": true,
"trusted_address": [
"10.182.40.32",
"10.182.40.32/32"
],
"source": "http_x_forwarded_for"
}
}`
use the curl to set the header:
bash-5.1# curl -H "X-forwarded-for:192.168.0.3,10.182.40.32" localhost -I
HTTP/1.1 200 OK
check the access log:
10.182.40.32 - localhost HEAD / HTTP/1.1 200 0 0.001 curl/7.80.0 10.123.67.241:80 200 0.001 http://localhost
this have no effect.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org