On Sun, Apr 09, 2017 at 02:04:39PM +0200, Hiltjo Posthuma wrote: > Hey, > > In the relayd.conf(5) example it is better to set the X-Forwarded-For > header (set) and not trust whatever the client sends in the headers (append). > > (Except ofcourse when the client is another trusted proxy) > > This is mentioned in a discussion on misc@ by Stuart Henderson in the > thread "[relayd] keep origin IP in logs". > > The below patch updates the relayd.conf(5) example from append to set: >
fixed, thanks. jmc > > diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 > index c1dee3a4d29..2b46f1c0c5d 100644 > --- a/usr.sbin/relayd/relayd.conf.5 > +++ b/usr.sbin/relayd/relayd.conf.5 > @@ -1467,9 +1467,9 @@ and include the > variable in the hash to calculate the target host: > .Bd -literal -offset indent > http protocol "https" { > - match header append "X-Forwarded-For" \e > + match header set "X-Forwarded-For" \e > value "$REMOTE_ADDR" > - match header append "X-Forwarded-By" \e > + match header set "X-Forwarded-By" \e > value "$SERVER_ADDR:$SERVER_PORT" > match header set "Keep-Alive" value "$TIMEOUT" > > -- > Kind regards, > Hiltjo >