On Sun, Apr 09, 2017 at 02:04:39PM +0200, Hiltjo Posthuma wrote:
> Hey,
>
> In the relayd.conf(5) example it is better to set the X-Forwarded-For
> header (set) and not trust whatever the client sends in the headers (append).
>
> (Except ofcourse when the client is another trusted proxy)
>
> This is mentioned in a discussion on misc@ by Stuart Henderson in the
> thread "[relayd] keep origin IP in logs".
>
> The below patch updates the relayd.conf(5) example from append to set:
>
fixed, thanks.
jmc
>
> diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
> index c1dee3a4d29..2b46f1c0c5d 100644
> --- a/usr.sbin/relayd/relayd.conf.5
> +++ b/usr.sbin/relayd/relayd.conf.5
> @@ -1467,9 +1467,9 @@ and include the
> variable in the hash to calculate the target host:
> .Bd -literal -offset indent
> http protocol "https" {
> - match header append "X-Forwarded-For" \e
> + match header set "X-Forwarded-For" \e
> value "$REMOTE_ADDR"
> - match header append "X-Forwarded-By" \e
> + match header set "X-Forwarded-By" \e
> value "$SERVER_ADDR:$SERVER_PORT"
> match header set "Keep-Alive" value "$TIMEOUT"
>
> --
> Kind regards,
> Hiltjo
>
