On Wed, May 08, 2013 at 12:51:10PM +0200, Sander Klein wrote: > On 08.05.2013 12:21, Sander Klein wrote: > >Hey, > > > >>You have the optional argument "if-none" for "option forwardfor", > >>but you should not do this with external proxies whose addresses > >>you don't know because anyone could pass one and fool you. > > > >This doesnt feel like a good option ;-) > >>In practice you would need them to pass you some information to > >>prove the request comes from them. The best way to do this is to > >>do it over ssl. > > > >Well, I know which networks they are using since the provide them on > >their website. That might be prove enough > > > >I didn't test if it's possible to do 'option forwardfor except > >192.168.1.0/24 192.168.2.0/24 etc...' > > > >Even better would be to load it from a file. > > > >Maybe the option from Finn Arne Gangstad might prove good enough for > >me and I can fix it with some reqidel statements. > > I just found out that they also send an CF-Connecting-IP header. Is > there a way to copy the contents of this header to the X-Forwarded-For > header?
Yes, just remove x-forwarded-for and rename cf-connecting-ip to x-forwarded-for :-) Willy
