mike-jumper commented on PR #926: URL: https://github.com/apache/guacamole-client/pull/926#issuecomment-1789780889
For this change to move forward with providing the quality-of-life improvements intended (without introducing a security issue), the change would need to: 1. Effectively re-implement what Tomcat already provides with `RemoteIpValve` via more convenient configuration properties, ensuring the admin has full control over how and whether `X-Forwarded-For` is used. 2. Use a servlet filter or similar to guarantee that `getRemoteAddr()` returns the expected address when the HTTP request is directly inspected (third-party libraries like those used for SAML will otherwise not be affected by the additional configuration and would still not see the expected address without `RemoteIpValve`). @LemonZuo If you want to give that a shot, the change would need to be made to the webapp, not guacamole-ext. If done correctly, `Credentials` and anything else using standard functions like `getRemoteAddr()` would see the expected address. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
