> In the startup.pl of the app server:
>
> sub My::ProxyRemoteAddr ($) {
> my $r = shift;
you'll want to insert this here:
# we'll only look at the X-Forwarded-For header if the requests
# comes from our proxy at localhost
return OK unless ($r->connection->remote_ip eq "127.0.0.1");
it's in the latest mod_proxy_add_forward, maybe you're using an older
version. This makes sure an outsider cannot defeat any IP-based
authorization
by connecting directly to the backend and supplying a forged X-Forwarded-For
header. Of course this is moot if the backend is bound to 127.0.0.1.
> if (my ($ip) = $r->header_in('X-Forwarded-For') =~ /([^,\s]+)$/) {
> $r->connection->remote_ip($ip);
> }
>
> return OK;
> }
>
--
Eric
