Lua script to render an unmodified X-Forwarded-For header

Author: piger

inner-proxy/conf/conf.d/default.conf

@@ -15,9 +15,11 @@ server {
     }
 
     location / {
-        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-Proto   $http_x_forwarded_proto;
+        proxy_set_header X-Forwarded-For     $realip_add_x_forwarded_for;
+        proxy_set_header X-Bad-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP           $remote_addr;
+
         proxy_pass http://backend;
     }
 }

inner-proxy/conf/lua/realip-x-forwarded-for.lua

@@ -0,0 +1,11 @@
+local _M = {}
+
+function _M.run()
+    if (ngx.var.http_x_forwarded_for == "" or ngx.var.http_x_forwarded_for == nil) then
+        ngx.var.realip_add_x_forwarded_for = ngx.var.realip_remote_addr
+    else
+        ngx.var.realip_add_x_forwarded_for = ngx.var.http_x_forwarded_for .. ", " .. ngx.var.realip_remote_addr
+    end
+end
+
+return _M

inner-proxy/conf/nginx.conf

@@ -30,6 +30,11 @@ http {
     set_real_ip_from 10.20.30.2/32;
     real_ip_header X-Forwarded-For;
 
+    map $request $realip_add_x_forwarded_for { default ""; }
+    access_by_lua_block {
+        require("realip-x-forwarded-for").run()
+    }
+
     # Include the rest of the configuration
     include conf.d/*.conf;
 }