Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?

I keep seeing config examples with proxy settings like this:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry.

The correct value should be just $remote_addr (and thus drop client-provided values).

I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy.

(or someone please correct me on this)
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx