Process X-Forwarded-For header in correct order #3095

Closed
wants to merge 2 commits into
from

Projects

None yet

2 participants

@vrana
vrana commented Nov 29, 2012

See http://en.wikipedia.org/wiki/X-Forwarded-For#Format. The IP addresses are appended to the right side so the server communicating with my managed proxy server is the last. This is the only value that can be trusted if I am behind managed proxy server, all others can be easily spoofed. The last value is also the equivalent of REMOTE_ADDR if I am not behind a reverse proxy.

@vrana vrana Process X-Forwarded-For header in correct order
See http://en.wikipedia.org/wiki/X-Forwarded-For#Format. The IP addresses are appended to the right side so the server communicating with my managed proxy server is the last. This is the only value that can be trusted if I am behind managed proxy server, all others can be easily spoofed. The last value is also the equivalent of REMOTE_ADDR if I am not behind a reverse proxy.
0742b4c
@weierophinney weierophinney added a commit that closed this pull request Nov 29, 2012
@weierophinney weierophinney Merge branch 'security/session-ip-validator'
Fixes issues with proxy server/ip detection.

Fixes #3095

- However, a different approach is taken than that used in that pull request.
293a37a
@dvv dvv referenced this pull request in ninenines/cowboy Feb 6, 2013
Closed

x-forwarded-for: should use the last token #402

@weierophinney weierophinney added a commit to zendframework/zend-http that referenced this pull request May 15, 2015
@weierophinney weierophinney Merge branch 'security/session-ip-validator'
Fixes issues with proxy server/ip detection.

Fixes zendframework/zendframework#3095

- However, a different approach is taken than that used in that pull request.
e47995d
@weierophinney weierophinney added a commit to zendframework/zend-session that referenced this pull request May 15, 2015
@weierophinney weierophinney Merge branch 'security/session-ip-validator'
Fixes issues with proxy server/ip detection.

Fixes zendframework/zendframework#3095

- However, a different approach is taken than that used in that pull request.
b27a1fe
@weierophinney weierophinney added a commit to zendframework/zend-view that referenced this pull request May 15, 2015
@weierophinney weierophinney Merge branch 'security/session-ip-validator'
Fixes issues with proxy server/ip detection.

Fixes zendframework/zendframework#3095

- However, a different approach is taken than that used in that pull request.
bbb7f5d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment