On Sat, Aug 3, 2013 at 5:59 PM, Richard Hipp <d...@sqlite.org> wrote: > > > On Sat, Aug 3, 2013 at 4:59 PM, Maxim Khitrov <m...@mxcrypt.com> wrote: >> >> On Sat, Aug 3, 2013 at 4:52 PM, reverse <reve...@snowflakejoins.com> >> wrote: >> > Hi, >> > >> > I also had some problems behind proxy. Solved those by having one more >> > Apache instance just for Fossil deployment. >> > >> > Please consider taking value of HTTP_FORWARDED_REQUEST_URI (if present) >> > instead of PATH_INFO, and of X-Forwarded-For instead of REMOTE_ADDRESS. >> >> I sent in a patch to use X-Real-IP (same as X-Forwarded-For, I >> think?). Not sure why it wasn't accepted, > > > Your patch would allow clients to forge their IP address by injecting an > X-Forwarded-For header in the HTTP request. Fossil has no way of knowing if > the X-Forwarded-For comes from a trusted proxy or a malicious client.
What about adding a config option to allow this header only when fossil is running behind a reverse proxy? Alternatively, you could accept X-Forwarded-For by default when the remote address is the local host. That should take care of the most common setup. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
