3.7 Ensure proxies pass source IP information - X-Real-IP

Information

The x-forwarded-for and remote address headers help identify and separate the originating client IP address of the user agent and the proxy IP address. The two types of addresses are the same, and one should always be present.

Rationale:

Being able to identify the originating client IP address can help auditors or incident responders identify where the corresponding user came from. This may be useful in the event of an attack to analyze if the IP address is a good candidate for blocking. It may also be useful to correlate an attacker's actions.

Solution

To ensure your proxy or load balancer will forward information about the client and the proxy to the application, you must set the below headers in your location block. Edit your location block so it shows the proxy_set_header directives for the client and the proxy as shown below. These headers are the exact same and there is no need to have both present.

server {
...
location / {
proxy_pass (Insert Application URL here);
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Default Value:

This is not set by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.7

Plugin: Unix

Control ID: 2749ec4bf66a9f9f95aee0f09ea9bcceec98ce0a38e0944229f1f765901eebfa