On Tue, Sep 22, 2015 at 11:09 PM, William A Rowe Jr <[email protected]> wrote: > On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener <[email protected]> wrote: >> >> Maybe my followup is better phrased. No issue with handling of internal >> IPs. >> >> Currently, we act like RemoteIPTrustedProxy * by default (once they've >> named the XFF header) and warn people they'd better restrict it. > > > I agree that was not the original design and we should address it with a fix > rather than a docs fix, IMHO. 'Trusted' is the exception, not the general > case.
bump. I don't love the idea of changing the 2.4 defaults. Current doc already says "Unless these other directives are used, mod_remoteip will trust all hosts presenting a RemoteIPHeader IP value." so I thought it was wise to reinforce this in other sections. Doc is not back-ported yet.
