Review of the behaviour of x-fowarded-for

schwicke · October 23, 2017, 3:33pm

Hi, Simone,

we had some issues with the way x-forwarded-for is currently implemented, and we think it needs to be reviewed. As already discussed off-line, the expected behavior should be something like this:

When x-forwarded-for contains strings (as opposed to numeric IPs): try to string-match it with allowed values which were declared as strings;
When “unknown” is found as header value, don’t match the rule, a priori.
if no match is found until now, and the user has declared allowed any numeric IP/IPMask, try to resolve the header value as a DNS name on the fly and match it with allowed IP/IPMasks.

sscarduzio · October 24, 2017, 2:45pm

Hello @schwicke, I have just committed a fix to master about this one. Feel free to test it straight from there.

schwicke · October 26, 2017, 7:51am

Hi, Simone,
thanks a lot! I hope to be able to have a look at it today and let you know.