HTTP_X_FORWARDED_FOR can contain multiple IPs

[stuaxo]

HTTP_X_FORWARDED_FOR can contain a comma seperated list of IPs, and you only want to check one of them (which one may vary depending on if you use a CDN or not).

You can prepend your own IP using curl, e.g.

curl --header X-Forwarded-For '1.1.1.1,2.2.2.2,3.3.3.3 ..'

You get a resulting x-forwarded of: (edited)
1.1.1.1, 2.2.2.2, 3.3.3.3, {the client's real ip}, {cloudfront's ip}

So you need need a way of telling django-admin-restrictor the index of the IP you want from the end, I guess the sane default for this would be -1, but for the sites using cloudfront they will want -2.

Invest PIR has a solution to grab the second to last IP, which is hardcoded, along with unit tests in this PR
uktrade/invest-pir-api@5454251

I'm not sure how the setting would be spelt X_FORWARDED_INDEX ?

[stuaxo]

I'll submit a PR in the next few days, found out you are on holiday so shouldn't be checking this :)