[
https://issues.apache.org/jira/browse/SLING-3015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13739545#comment-13739545
]
Felix Meschberger commented on SLING-3015:
------------------------------------------
The X-Forwarded-For header is not appropriate: It may or may not be present for
various reasons (security not be the least). So depending on this header for
security reasons is inherently unsafe and thus insecure.
> Take X-Forwarded-For into account for IP whitelisting
> -----------------------------------------------------
>
> Key: SLING-3015
> URL: https://issues.apache.org/jira/browse/SLING-3015
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: Discovery Impl 1.0.0
> Reporter: Stefan Egli
> Assignee: Stefan Egli
>
> Currently, the IP whitelisting for incoming topology connections of the
> discovery.impl uses 'getRequestHost/Addr' to decide if it wants to accept a
> connection or not. This is not sufficient in the case, where a server is
> behind eg a reverse proxy. In such cases it would simply get the reverse
> proxy's address, voiding the IP whitelisting feature.
> To improve this situation, the X-Forwarded-For header field should be
> evaluated optionally too.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
