Sorry for the top post. I've committed r1789800 which pulls out Optional handling and adds the ability to disable based on source network. This is more or less the code as it was donated, plus some cleanup and the small addition to disable based on networks (overall a cleaner approach anyway). I went with the directive name RemoteIPProxyProtocolDisableHosts to align more with the fact that a single host or range can be disabled. I've verified this works via haproxy, rejects when hit directly and disables processing when coming from a permitted network.
I'm in the process of updating the backport proposal. To be safe, I'm removing @jim's vote given how many times the code has changed since he reviewed and will put it back in the "active" section of STATUS. -- Daniel Ruggeri On 4/1/2017 8:17 AM, Daniel Ruggeri wrote: > Agreed - as many times as I read the spec, I have no idea how I did not > see that security advisory. It's flat-out damning to the idea of an > "optional" mode. I'll go ahead and rip out the optional processing and > will add your suggested idea of a list of subnets to disable parsing. I > hope to have a patch later this morning to share. As awful as the name > is, I'm thinking RemoteIPProxyProtocolDisableNetworks ARG1 ARG2 ARG3. >