Thanks, The situation we were looking at is where NaviServer is behind 2 proxies.
Client: IP 1.1.1.1 | Proxy 1: sends X-Forwarded-For: 1.1.1.1 | Proxy 2: sends X-Forwarded-For: 1.1.1.1,2.2.2.2 | Naviserver: peeraddr -source forwarded = 1.1.1.1 Which is fine. But the Client can initiate requests which have X-Forwarded-For Headers already present, then we run into difficulties Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4 | Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1 | Proxy 2: sends X-Forwarded-For: 1.2.3.4,1.1.1.1,2.2.2.2 | Naviserver: peeraddr -source forwarded = 1.2.3.4 We have got around this by using proxy2 to clobber the X-Forwared-For header using the Nginx real_ip module which has the logic that it will use the rightmost IP if from a trusted peer. Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4 | Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1 | Proxy 2: sends X-Forwarded-For: 1.1.1.1 (as calculated by real_ip <https://nginx.org/en/docs/http/ngx_http_realip_module.html>logic - we trust proxy1, so use the most recent IP - the rightmost) | Naviserver: peeraddr -source forwarded = 1.1.1.1 However, we are looking into dropping proxy2. Unfortunately proxy1 does not have the flexibility to manipulate headers in such a way so we are back to: Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4 | Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1 | Naviserver: peeraddr -source forwarded = 1.2.3.4 This leaves, I think, a situation in which the client can send any IP in the X-Forwarded-For header then we'd use it and throw away the peer IP seen by proxy1. On Tue, 23 Apr 2024 at 10:39, Gustaf Neumann (sslmail) <neum...@wu.ac.at> wrote: > > Why are you looking into the issue? Would the filtering of private > addresses help you? > > -gn > > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel >
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel