Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?
I keep seeing config examples with proxy settings like this:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry.
The correct value should be just $remote_addr (and thus drop client-provided values).
I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy.
(or someone please correct me on this)
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx