Review of the behaviour of x-fowarded-for


(Meee!) #1

Hi, Simone,

we had some issues with the way x-forwarded-for is currently implemented, and we think it needs to be reviewed. As already discussed off-line, the expected behavior should be something like this:

  1. When x-forwarded-for contains strings (as opposed to numeric IPs): try to string-match it with allowed values which were declared as strings;

  2. When “unknown” is found as header value, don’t match the rule, a priori.

  3. if no match is found until now, and the user has declared allowed any numeric IP/IPMask, try to resolve the header value as a DNS name on the fly and match it with allowed IP/IPMasks.


(Simone Scarduzio) #2

Hello @schwicke, I have just committed a fix to master about this one. Feel free to test it straight from there.


(Meee!) #3

Hi, Simone,
thanks a lot! I hope to be able to have a look at it today and let you know.