Private address space IP found in X-Forwarded-For

nginx reverse-proxy google-cloud-platform x-forwarded-for private-ip

I'm reverse proxying with nginx behind Google Cloud (HTTPS) Load Balancer, so I add the X-Forwarded-For header so that the backend can extract the client (browser) IP.

This morning I noticed a 10.x.x.x IP in the logs, how is this possible?


How your logging interprets the header containing multiple IP addresses? If it takes the first IP address instead of the correct one, this may well be address added by someones forward proxy instead of your reverse proxy.

The header and its contents are documented in GCP Setting Up HTTP(S) Load Balancing article:

X-Forwarded-For: <unverified IP(s)>, <immediate client IP>, <global forwarding rule external IP>, <proxies running in GCP> (requests only)

A comma-separated list of IP addresses appended by the intermediaries the request traveled through. If you are running proxies inside GCP that append data to the X-Forwarded-For header, then your software must take into account the existence and number of those proxies. Only the <immediate client IP> and <global forwarding rule external IP> entries are provided by the load balancer. All other entries in the list are passed along without verification.

Just adjust your logging accordingly.

Related

get a list of instances on ec2 without termination protection?
How to do proper VPS timekeeping?
Error: XFS filesystem is not valid as a default fs type
Cloudflare and .DE domain
Google Cloud Instance hostname (Compute Engine)
Cygwin Windows < Linux rsync - connection unexpectedly closed
The math of waiting to be sitted
Eigenvalues of inverse matrix to a given matrix
Partial Fraction Decomposition with Complex Number $\frac{1}{z^2 - 2i}$.
Equivalence modulo certain theory
Explain " If two straight lines a, b of a plane do not meet a third straight line c of the same plane, then they do not meet each other."
Sign of $P(Δ)$ with $P(x)=ax²+bx+c$ and $Δ=b²-4ac$