On Mon, Mar 13, 2017 at 7:31 PM, William A Rowe Jr <[email protected]> wrote: > On Sat, Mar 11, 2017 at 1:33 PM, Daniel Ruggeri <[email protected]> wrote: >> This is important for us on two fronts: >> * For mod_remoteip, we'd have to decide which to use. The current method >> is to prefer PROXY. >> * If we add PROXY support to mod_proxy, we have to decide which to propagate > > [...] > > We support X-F-F to some extent today, but not properly. But because we > are an HTTP server which can mangle HTTP request metadata, and our > proxy connections are not remote connection-bound, we should probably > apply the logic above to generate an RFC7239 Forwarded header. This > is where we probably collapse all
Whoops, sorry... "Where we should probably collapse all" trusted proxy data into the alternate header, and relay all remaining untrusted X-F-F/Forwarded data on to the client as 'you deal with this'. Or add a flag to recombine it all and let the backend reprocess it all, but the entire point of putting httpd somewhere in the chain is to deduplicate and eliminate useless data and CPU time.
