I have a server located in a DMZ behind an NGINX reverse proxy.
I would like to clarify something: can I rely on the HTTP_X_FORWARDED_FOR header and be confident that it always contains the real client IP address, and that it cannot be tampered with?
(Of course, I assume that on NGINX the following directive is configured:)
I wouldn’t say that you can trust that it’s the real client IP address. It is an address on the client side of the connection, though. It’s usefulness depends on what you want the IP for.
Example: Using it to match against a big disallow list would be very different from using it against a small list of allowed IPs for access to private information.