nginx代理模式下,伪造X-Forwarded-For头的测试

作者: 2hei 发表于2010年3月18日 16:30
版权声明: 可以转载, 转载时务必以超链形式标明文章原始出处和作者信息及版权声明
http://www.2hei.net/mt/2010/03/nginx-x-forwarded-for.html

测试环境: nginx+resin
IP: 内网:172.16.100.10

客户端IP:123.123.123.123


测试页面: test.jsp
<%
out.println("x-forwarded-for: " + request.getHeader("x-forwarded-for"));
out.println("remote hosts: " + request.getRemoteAddr());
%>

nginx 配置一
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

wget测试
wget -O aa --header="X-Forwarded-For:192.168.0.1" "http://2hei.net/test.jsp"
页面返回结果:
x-forwarded-for: 192.168.0.1, 123.123.123.123
remote hosts: 172.16.100.10

curl测试
curl -H "X-Forwarded-For:192.168.0.1" "http://2hei.net/test.jsp"
x-forwarded-for: 192.168.0.1, 123.123.123.123
remote hosts: 172.16.100.10


nginx 配置二
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

wget测试:
wget -O aa --header="X-Forwarded-For:192.168.0.1" "http://2hei.net/test.jsp"
页面返回结果:
x-forwarded-for: 123.123.123.123
remote hosts: 172.16.100.10

curl测试
curl -H "X-Forwarded-For:192.168.0.1" "http://2hei.net/test.jsp"
x-forwarded-for: 123.123.123.123
remote hosts: 172.16.100.10


测试结果:
1、配置  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
增加了一个真实ip X-Forwarded-For,并且顺序是增加到了“后面”。

2、配置  proxy_set_header X-Forwarded-For $remote_addr;
清空了客户端伪造传入的X-Forwarded-For,
保证了使用request.getHeader("x-forwarded-for")获取的ip为真实ip,
或者用“,”分隔,截取X-Forwarded-For最后的值。

  By 2hei on 2010年3月18日 16:30 | | Comments (6) | TrackBacks (0)
本篇相关文章:

eventfd() failed when start nginx - 2011-01-07

nginx dynamic url rewrite -- II - 2010-11-25

nginx dynamic url rewrite - 2010-08-06

request.getScheme cann't get https in nginx proxy with apache - 2010-02-21

6 Comments

veterinary technician 说:

My cousin recommended this blog and she was totally right keep up the fantastic work!

2010年5月31日 05:35
student grants 说:

Great, I never knew this, thanks.

2010年6月 5日 14:33
WP Themes 说:

Genial fill someone in on and this enter helped me alot in my college assignement. Gratefulness you seeking your information.

2010年6月11日 11:46
school grants 说:

This is such a great resource that you are providing and you give it away for free. I enjoy seeing websites that understand the value of providing a prime resource for free. I truly loved reading your post. Thanks!

2010年6月13日 11:47
student scholarships 说:

It’s posts like this that keep me coming back and checking this site regularly, thanks for the info!

2010年6月14日 11:49
Emory 说:

It is very difficult to find knowledgeable people about this matter, you seem like you know what you are preaching about! Thanks

2011年1月31日 22:45

发表一个评论

关于这篇文章

这篇文章由2hei2010年3月18日 16:30发布.

上一篇:ethtool maybe caused by "TCP checksum offload"

下一篇:openssh5.4升级后ssh无法登陆

回到首页 或者查看归档文章

  • Powered by FeedBurner
  • Add to Google Reader or Homepage
  • Add to My AOL
  • Subscribe in NewsGator Online
  • del.icio.us/2heidel.icio.us/2hei
  • Subscribe to feed feeds