Help understanding what headers are forwarded?

[cyberwolfie1]

I'm trying to set up a Flask application behind Anubis in a way where I can get the real client IPs. My setup is WAN -> Nginx Proxy Manager -> Anubis -> Flask application.

I need to configure werkzeug.middleware.proxy_fix.ProxyFix in my application to tell it what to trust, so that I can get the real client IP within the application (it reads X-Forwarded-For). The ProxyFix-class takes the number of proxy jumps for X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Prefix, and I understand it to be a security issue if I end up trusting headers spoofed by the client instead of the proxies.

My pre-existing knowledge about this is as you can probably tell quite limited. Currently I'm stumped at finding out which of these headers are modified at each step. X-Forwarded-For yields correct client IP if I set all of them to 2, but how can I find out what Anubis is modifying?

I guess also that since I am doing this fix only to get X-Forwarded-For, I could instruct the application to only trust 2 jumps for that particular header and set the others to 0?

[yudin-s]

For your topology, treat this as two separate questions: which proxy appends the address chain, and which headers your Flask app actually needs to trust.

For X-Forwarded-For, x_for=2 is plausible in ProxyFix if both Nginx Proxy Manager and Anubis append one hop before the request reaches Flask:

client -> NPM -> Anubis -> Flask

I would not infer it from the final client IP alone. Add a temporary debug route in Flask that prints request.remote_addr and the raw X-Forwarded-* headers before ProxyFix, then send one request with a deliberately fake client header from outside:

curl -H 'X-Forwarded-For: 1.2.3.4' https://your-site/debug-headers

If the edge proxy does not overwrite untrusted incoming X-Forwarded-For, the fake value may survive into the chain. The safest setup is usually:

1. NPM, as the public edge, strips/overwrites any incoming forwarded headers from the internet.
2. NPM adds the real client address.
3. Anubis forwards or appends in a predictable way.
4. Flask trusts only the number of hops that are actually under your control.

Yes, you can set only x_for=2 and leave x_proto, x_host, and x_prefix at 0 if your application only uses request.remote_addr. Only enable the other ProxyFix counts if Flask/url generation actually needs those rewritten values.

If that matches what you see in the header dump, this should be safe to mark as answered.