You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement functionality to allow users to configure the X-Forwarded-For behaviour on each redirector.
Possible values could include:
Left-most value
Right-most value
Left-most non-private value
Right-most non-private value
Custom header (i.e. set a specific client IP manually via a different header than X-Forwarded-For) - This could let the user have an option to work around any unruly CDNs or tech stacks that don't have any sane behaviour.
Forwarded header - Decide if we can/should also add support for Forwarded header now being implemented by some tech stacks.
Decide on the best default behaviour:
Left-most value - Better compatibility with CDNs, potential spoofing but users are expected to ensure their redirectors provide trusted values. See Issue #1 for additional context.
Left-most non-private value - Maintains CDN compatibility and limits (but maybe doesn't prevent?) spoofing, recommended approach as documented here.
Right-most value - Worse compatibility with CDNs, prevents spoofing in cases where users don't test and configure redirectors properly.
My instinct says revert back to left-most but implement the non-private check. Only possible edge case I see is if there is no non-private IP (i.e. dev/testing), but this could be addressed by reconfiguring the redirector or having a fallback to just take the leftmost if there is only private addresses.
Update the CDN specific redirector documentation to include recommendations on how this should be set for specific CDNs / tech stacks.
The text was updated successfully, but these errors were encountered:
Implement functionality to allow users to configure the
X-Forwarded-For
behaviour on each redirector.Possible values could include:
X-Forwarded-For
) - This could let the user have an option to work around any unruly CDNs or tech stacks that don't have any sane behaviour.Forwarded
header - Decide if we can/should also add support for Forwarded header now being implemented by some tech stacks.Decide on the best default behaviour:
My instinct says revert back to left-most but implement the non-private check. Only possible edge case I see is if there is no non-private IP (i.e. dev/testing), but this could be addressed by reconfiguring the redirector or having a fallback to just take the leftmost if there is only private addresses.
Update the CDN specific redirector documentation to include recommendations on how this should be set for specific CDNs / tech stacks.
The text was updated successfully, but these errors were encountered: