Ticket #128 (new enhancement)

Opened 3 years ago

Last modified 4 months ago

restore REMOTE_ADDR from headers X-Forwarded-For or X-Real-IP

Reported by: rapaman Owned by: anonymous
Priority: normal Milestone:
Component: core Version: 1.3.13
Severity: trivial Keywords: real ip, remote_addr, x-forwarded-for,x-real-ip
Cc: Blocked By:
Need User Feedback: no Blocking:

Description

Hello,

Will be very good to have possibility to restore REMOTE_ADDR from headers X-Forwarded-For or X-Real-IP on backends where used lighttpd, or use any header that was set to restore real ip from.

I think this will be very useful feature for lighttpd.

Thanks.

Attachments

Change History

Changed 3 years ago by andreas

This will allow anyone to fake their IP address by adding the X-Forwarded-For header.

Changed 2 years ago by anonymous

Take a look at http://web.warhound.org/mod_extract_forwarded/ to see how Apache handles this. Basically, you need to add a config file directive listing which hosts (i.e., your proxies and load balancers) are allowed to set X-Forwarded-For.

Yeah, it's still possible to spoof, but it was possible to spoof the incoming IP in the first place.

Changed 4 months ago by anonymous

  • severity changed from normal to trivial
  • pending unset

Add/Change #128 (restore REMOTE_ADDR from headers X-Forwarded-For or X-Real-IP)

Author



Change Properties
<Author field>
Action
as new
 
Note: See TracTickets for help on using tickets.