Skip to content

Commit e38cdae

Browse files
Turbo87Turbo87
authored
Merge pull request #7364 from Turbo87/remove-nginx-realip
Remove `X-Real-Ip` header
2 parents f5c5e57 + 151c54d commit e38cdae

File tree

3 files changed

+1
-194
lines changed

3 files changed

+1
-194
lines changed

config/nginx.conf.erb

Lines changed: 0 additions & 146 deletions
Original file line numberDiff line numberDiff line change
@@ -16,148 +16,6 @@ events {
1616
}
1717

1818
http {
19-
# Use the `X-Forwarded-For` to replace the client address (`$remote_addr`).
20-
real_ip_header X-Forwarded-For;
21-
# Ignore "trusted addresses" (see `set_real_ip_from` below) when determining the real user IP
22-
real_ip_recursive on;
23-
24-
set_real_ip_from 10.0.0.0/8;
25-
set_real_ip_from 127.0.0.0/24;
26-
27-
# CloudFront IP addresses from http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
28-
# Last updated: 2022-03-26
29-
set_real_ip_from 3.10.17.128/25;
30-
set_real_ip_from 3.11.53.0/24;
31-
set_real_ip_from 3.35.130.128/25;
32-
set_real_ip_from 3.101.158.0/23;
33-
set_real_ip_from 3.128.93.0/24;
34-
set_real_ip_from 3.134.215.0/24;
35-
set_real_ip_from 3.231.2.0/25;
36-
set_real_ip_from 3.234.232.224/27;
37-
set_real_ip_from 3.236.48.0/23;
38-
set_real_ip_from 3.236.169.192/26;
39-
set_real_ip_from 13.32.0.0/15;
40-
set_real_ip_from 13.35.0.0/16;
41-
set_real_ip_from 13.48.32.0/24;
42-
set_real_ip_from 13.54.63.128/26;
43-
set_real_ip_from 13.59.250.0/26;
44-
set_real_ip_from 13.113.196.64/26;
45-
set_real_ip_from 13.113.203.0/24;
46-
set_real_ip_from 13.124.199.0/24;
47-
set_real_ip_from 13.210.67.128/26;
48-
set_real_ip_from 13.224.0.0/14;
49-
set_real_ip_from 13.228.69.0/24;
50-
set_real_ip_from 13.233.177.192/26;
51-
set_real_ip_from 13.249.0.0/16;
52-
set_real_ip_from 15.158.0.0/16;
53-
set_real_ip_from 15.188.184.0/24;
54-
set_real_ip_from 15.207.13.128/25;
55-
set_real_ip_from 15.207.213.128/25;
56-
set_real_ip_from 18.64.0.0/14;
57-
set_real_ip_from 18.154.0.0/15;
58-
set_real_ip_from 18.160.0.0/15;
59-
set_real_ip_from 18.164.0.0/15;
60-
set_real_ip_from 18.172.0.0/15;
61-
set_real_ip_from 18.192.142.0/23;
62-
set_real_ip_from 18.200.212.0/23;
63-
set_real_ip_from 18.216.170.128/25;
64-
set_real_ip_from 18.229.220.192/26;
65-
set_real_ip_from 18.238.0.0/15;
66-
set_real_ip_from 18.244.0.0/15;
67-
set_real_ip_from 34.195.252.0/24;
68-
set_real_ip_from 34.216.51.0/25;
69-
set_real_ip_from 34.223.12.224/27;
70-
set_real_ip_from 34.223.80.192/26;
71-
set_real_ip_from 34.226.14.0/24;
72-
set_real_ip_from 35.158.136.0/24;
73-
set_real_ip_from 35.162.63.192/26;
74-
set_real_ip_from 35.167.191.128/26;
75-
set_real_ip_from 36.103.232.0/25;
76-
set_real_ip_from 36.103.232.128/26;
77-
set_real_ip_from 44.227.178.0/24;
78-
set_real_ip_from 44.234.90.252/30;
79-
set_real_ip_from 44.234.108.128/25;
80-
set_real_ip_from 52.15.127.128/26;
81-
set_real_ip_from 52.46.0.0/18;
82-
set_real_ip_from 52.47.139.0/24;
83-
set_real_ip_from 52.52.191.128/26;
84-
set_real_ip_from 52.56.127.0/25;
85-
set_real_ip_from 52.57.254.0/24;
86-
set_real_ip_from 52.66.194.128/26;
87-
set_real_ip_from 52.78.247.128/26;
88-
set_real_ip_from 52.82.128.0/19;
89-
set_real_ip_from 52.84.0.0/15;
90-
set_real_ip_from 52.124.128.0/17;
91-
set_real_ip_from 52.199.127.192/26;
92-
set_real_ip_from 52.212.248.0/26;
93-
set_real_ip_from 52.220.191.0/26;
94-
set_real_ip_from 52.222.128.0/17;
95-
set_real_ip_from 54.182.0.0/16;
96-
set_real_ip_from 54.192.0.0/16;
97-
set_real_ip_from 54.230.0.0/17;
98-
set_real_ip_from 54.230.128.0/18;
99-
set_real_ip_from 54.230.200.0/21;
100-
set_real_ip_from 54.230.208.0/20;
101-
set_real_ip_from 54.230.224.0/19;
102-
set_real_ip_from 54.233.255.128/26;
103-
set_real_ip_from 54.239.128.0/18;
104-
set_real_ip_from 54.239.192.0/19;
105-
set_real_ip_from 54.240.128.0/18;
106-
set_real_ip_from 58.254.138.0/25;
107-
set_real_ip_from 58.254.138.128/26;
108-
set_real_ip_from 64.252.64.0/18;
109-
set_real_ip_from 64.252.128.0/18;
110-
set_real_ip_from 65.8.0.0/16;
111-
set_real_ip_from 65.9.0.0/17;
112-
set_real_ip_from 65.9.128.0/18;
113-
set_real_ip_from 70.132.0.0/18;
114-
set_real_ip_from 71.152.0.0/17;
115-
set_real_ip_from 99.79.169.0/24;
116-
set_real_ip_from 99.84.0.0/16;
117-
set_real_ip_from 99.86.0.0/16;
118-
set_real_ip_from 108.138.0.0/15;
119-
set_real_ip_from 108.156.0.0/14;
120-
set_real_ip_from 116.129.226.0/25;
121-
set_real_ip_from 116.129.226.128/26;
122-
set_real_ip_from 118.193.97.64/26;
123-
set_real_ip_from 118.193.97.128/25;
124-
set_real_ip_from 119.147.182.0/25;
125-
set_real_ip_from 119.147.182.128/26;
126-
set_real_ip_from 120.52.12.64/26;
127-
set_real_ip_from 120.52.22.96/27;
128-
set_real_ip_from 120.52.39.128/27;
129-
set_real_ip_from 120.52.153.192/26;
130-
set_real_ip_from 120.232.236.0/25;
131-
set_real_ip_from 120.232.236.128/26;
132-
set_real_ip_from 120.253.240.192/26;
133-
set_real_ip_from 120.253.241.160/27;
134-
set_real_ip_from 120.253.245.128/26;
135-
set_real_ip_from 120.253.245.192/27;
136-
set_real_ip_from 130.176.0.0/17;
137-
set_real_ip_from 130.176.128.0/18;
138-
set_real_ip_from 130.176.192.0/19;
139-
set_real_ip_from 130.176.224.0/20;
140-
set_real_ip_from 143.204.0.0/16;
141-
set_real_ip_from 144.220.0.0/16;
142-
set_real_ip_from 180.163.57.0/25;
143-
set_real_ip_from 180.163.57.128/26;
144-
set_real_ip_from 204.246.164.0/22;
145-
set_real_ip_from 204.246.168.0/22;
146-
set_real_ip_from 204.246.172.0/24;
147-
set_real_ip_from 204.246.173.0/24;
148-
set_real_ip_from 204.246.174.0/23;
149-
set_real_ip_from 204.246.176.0/20;
150-
set_real_ip_from 205.251.200.0/21;
151-
set_real_ip_from 205.251.208.0/20;
152-
set_real_ip_from 205.251.249.0/24;
153-
set_real_ip_from 205.251.250.0/23;
154-
set_real_ip_from 205.251.252.0/23;
155-
set_real_ip_from 205.251.254.0/24;
156-
set_real_ip_from 216.137.32.0/19;
157-
set_real_ip_from 223.71.11.0/27;
158-
set_real_ip_from 223.71.71.96/27;
159-
set_real_ip_from 223.71.71.128/25;
160-
16119
# Disable emitting nginx version on error pages and in the “Server” response header field
16220
server_tokens off;
16321

@@ -193,10 +51,6 @@ http {
19351
# Use the passed-in `Host` header for proxied requests instead of changing it to the `proxy_pass` value
19452
proxy_set_header Host $http_host;
19553

196-
# Add a `X-Real-Ip` header to proxied requests containing the client address
197-
# (after being changed by the `realip` module)
198-
proxy_set_header X-Real-Ip $remote_addr;
199-
20054
# Disable `Location` and `Refresh` header rewriting for proxied responses
20155
proxy_redirect off;
20256

src/headers.rs

Lines changed: 0 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -35,38 +35,3 @@ impl Header for XRequestId {
3535
values.extend(std::iter::once(value));
3636
}
3737
}
38-
39-
static X_REAL_IP: HeaderName = HeaderName::from_static("x-real-ip");
40-
41-
pub struct XRealIp(String);
42-
43-
impl XRealIp {
44-
pub fn as_str(&self) -> &str {
45-
self.0.as_str()
46-
}
47-
}
48-
49-
impl Header for XRealIp {
50-
fn name() -> &'static HeaderName {
51-
&X_REAL_IP
52-
}
53-
54-
fn decode<'i, I>(values: &mut I) -> Result<Self, Error>
55-
where
56-
I: Iterator<Item = &'i HeaderValue>,
57-
{
58-
values
59-
.next()
60-
.and_then(|value| value.to_str().ok())
61-
.map(|value| Self(value.to_string()))
62-
.ok_or_else(Error::invalid)
63-
}
64-
65-
fn encode<E>(&self, values: &mut E)
66-
where
67-
E: Extend<HeaderValue>,
68-
{
69-
let value = HeaderValue::from_str(&self.0).unwrap();
70-
values.extend(std::iter::once(value));
71-
}
72-
}

src/middleware/log_request.rs

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
//! information that we care about like User-Agent
33
44
use crate::controllers::util::RequestPartsExt;
5-
use crate::headers::{XRealIp, XRequestId};
5+
use crate::headers::XRequestId;
66
use crate::middleware::normalize_path::OriginalPath;
77
use crate::real_ip::process_xff_headers;
88
use axum::headers::UserAgent;
@@ -32,7 +32,6 @@ pub struct RequestMetadata {
3232
original_path: Option<Extension<OriginalPath>>,
3333
user_agent: TypedHeader<UserAgent>,
3434
request_id: Option<TypedHeader<XRequestId>>,
35-
real_ip: Option<TypedHeader<XRealIp>>,
3635
}
3736

3837
pub struct Metadata<'a> {
@@ -77,17 +76,6 @@ impl Display for Metadata<'_> {
7776
let real_ip = self.real_ip.map(|ip| ip.to_string()).unwrap_or_default();
7877
line.add_quoted_field("ip", &real_ip)?;
7978

80-
let x_real_ip = self.request.real_ip.as_ref();
81-
let x_real_ip = x_real_ip
82-
.map(|ip| ip.as_str().to_string())
83-
.unwrap_or_default();
84-
line.add_quoted_field("fwd", &x_real_ip)?;
85-
86-
// TODO: Remove this once production traffic has shown that `ip == fwd`
87-
if real_ip != x_real_ip {
88-
line.add_marker("ip!=fwd")?;
89-
}
90-
9179
let response_time_in_ms = self.duration.as_millis();
9280
if !is_download_redirect || response_time_in_ms > 0 {
9381
line.add_field("service", format!("{response_time_in_ms}ms"))?;

0 commit comments

Comments
 (0)