> On Oct 6, 2015, at 10:47 AM, Eric Covener <cove...@gmail.com> wrote: > > On Tue, Sep 22, 2015 at 11:09 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: >> On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener <cove...@gmail.com> wrote: >>> >>> Maybe my followup is better phrased. No issue with handling of internal >>> IPs. >>> >>> Currently, we act like RemoteIPTrustedProxy * by default (once they've >>> named the XFF header) and warn people they'd better restrict it. >> >> >> I agree that was not the original design and we should address it with a fix >> rather than a docs fix, IMHO. 'Trusted' is the exception, not the general >> case. > > bump. I don't love the idea of changing the 2.4 defaults.
+1 > > Current doc already says "Unless these other directives are used, > mod_remoteip will trust all hosts presenting a RemoteIPHeader IP > value." so I thought it was wise to reinforce this in other sections. > Doc is not back-ported yet.