Merge pull request #1037 from Starefossen/remote-addr-disambiguation

Document why REMOTE_ADD may not be the user's IP address
2026-01-14 11:09:11 +08:00 · 2015-05-22 05:01:21 +03:00 · 2015-05-22 05:01:21 +03:00 · e6cf15ce78
commit e6cf15ce78
parent 03e52954b8 85d857d711
1 changed files with 15 additions and 0 deletions
--- a/docs/source/deploy.rst
+++ b/docs/source/deploy.rst
@ -111,6 +111,21 @@ Gunicorn may come from untrusted proxies or directly from clients since the
 application may be tricked into serving SSL-only content over an insecure
 connection.

+Gunicorn v19 introduced a breaking change concerning how ``REMOTE_ADDR`` is
+handled. Previous to Gunicorn v19 this was set to the value of
+``X-Forwarded-For`` if recieved from a trusted proxy. However, this was not in
+compliance with `RFC 3875 CGI Version 1.1 <http://www.ietf.org/rfc/rfc3875>`_
+which is why the ``REMOTE_ADDR`` is now the IP address of **the proxy** and
+**not the actual user**. You should instead configure Nginx to send the user's
+IP address through the ``X-Forwarded-For`` header like this::
+
+    ...
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    ...
+
+It is also worth noting that the ``REMOTE_ADDR`` will be completely empty if you
+bind Gunicorn to a unix socket and not a tcp host:port tuple.
+
 Using Virtualenv
 ================