[
https://issues.apache.org/jira/browse/SLING-3015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13739688#comment-13739688
]
Stefan Egli commented on SLING-3015:
------------------------------------
[~fmeschbe], agreed. What if the decision to use the feature is left to the sys
admin though, assuming that the sys admin would trust the installed proxy (eg
dispatcher)? I agree that it is potentially risky, but if, for a given
deployment, that parameter is securely established, then it could still be an
option?
> Take X-Forwarded-For into account for IP whitelisting
> -----------------------------------------------------
>
> Key: SLING-3015
> URL: https://issues.apache.org/jira/browse/SLING-3015
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: Discovery Impl 1.0.0
> Reporter: Stefan Egli
> Assignee: Stefan Egli
>
> Currently, the IP whitelisting for incoming topology connections of the
> discovery.impl uses 'getRequestHost/Addr' to decide if it wants to accept a
> connection or not. This is not sufficient in the case, where a server is
> behind eg a reverse proxy. In such cases it would simply get the reverse
> proxy's address, voiding the IP whitelisting feature.
> To improve this situation, the X-Forwarded-For header field should be
> evaluated optionally too.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
