Spil Games wrote:

I think I figured it out. We run multiple Nginx backends behind a Zeus ZXTM loadbalancer. The loadbalancer is configured to use keepalives to the backends and thus pipes requests from various source addresses through one connection.

When the first request on a new lb->ws connection comes in, Nginx matches the source address to the value set through 'set_real_ip_from'. Let's assume the request originates from the loadbalancer (obviously :P) and that we have set 'set_real_ip_from' appropriately. The realip module will patch the following:

sin->sin_addr.s_addr = addr; r->connection->addr_text.len = len; r->connection->addr_text.data = p;

So the IP address is corrected for this connection. So far, so good.

Now to the second request: Nginx will try to match the source address again, but because this is the same (already patched) connection, it will not match 'set_real_ip_from' and the address will pass unmodified, which is incorrect because this request originates from a different client ip address.

I can work around this problem by setting 'set_real_ip_from' to '0.0.0.0/0', but I think this is essentially a bug in the module. It should not patch the source ip address for the whole (keepalive) connection, but only for the current request.