You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since the XFF header potentially has security implications, it seems worth preserving the original value, particularly in cases where the transparent directive in the proxy module is likely to be interacting w/ this. I'm not sure if this should be 'always-on' or optional though. Happy to drop it behind a flag if preferred.
It's true that realip doesn't change the header but proxytransparent does and because realip changes the remote IP, in conjunction, they're really hard to debug. In fairness, the more I think about it, the more I think this should be behind a preserve or preserve_header etc flag, but yeah, having the original header value makes debugging XFF issues in longer load balancer/proxy scenarios massively easier.
I could see an argument that proxy should be responsible for preserving the header, but in that case realip should probably be responsible for providing an option to expose the original remote IP value.
Refactored, adds a preserve flag, documents it, and preserves the RemoteAddr value (the specific information that's destroyed by the realip plugin rather than something that's modified only in conjunction w/ another plugin). Adds tests for the above.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Since the XFF header potentially has security implications, it seems worth preserving the original value, particularly in cases where the
transparentdirective in theproxymodule is likely to be interacting w/ this. I'm not sure if this should be 'always-on' or optional though. Happy to drop it behind a flag if preferred.