Some nginx configs is vulnerable to X-Forwarded-For spoofing
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; in the
X-Forwarded-For is defined as
X-Forwarded-For: <client>, <proxy1>, <proxy2> and
$proxy_add_x_forwarded_for works like
So a user can basically set
X-Forwarded-For: 18.104.22.168 and now the IP is spoofed (at least the IP seen by the proxied service).