Hi, In reverseproxymode, when there is a list of IPs in X-Forwarded-For header, it's always the leftmost IP which is chosen by NaviServer for accesslogs (and ns_conn peeraddr):
X-Forwarded-For 1.1.1.1,2.2.2.2 ns_conn peeraddr -source forwarded = 1.1.1.1 Is there any mechanism by which we can resolve to the rightmost IP for the access logs instead? X-Forwarded-For 1.1.1.1,2.2.2.2 ns_conn peeraddr -source forwarded = 2.2.2.2 The use case is, if we are behind a single reverse proxy, if X-Forwarded-For already exists when hitting that proxy, the proxy will often append the client IP to the contents of the header. In these cases, we don't want to trust the original contents of the header, only what was added by our trusted proxy - eg. the rightmost value. The algorithm could be something like: if { [llength $x-forwarded-for] > 1} { if { [ns_conn peeraddr -source direct] in $trusted_subnet } { set client_ip [lindex $x-forwarded-for end] } } We can currently do this programmatically by inspecting the headers themselves, but the IP in the access logs would, I think, still be the untrusted IP. (This is really a limitation of the X-Forwarded-For mechanism itself, hence why it is being superseded by the Forwarded header.) Nginx have a config mechanism to try to express this which includes specifying the subnets or IP addresses you trust: https://nginx.org/en/docs/http/ngx_http_realip_module.html In NaviServer, it could be something like: ns_param reverseproxymode "true" ns_param reverseproxytrust [list 192.168.1.21 192.168.2.0/24] Any suggestions on what is best to do here? -- *David Osborne | Software Engineer* Qcode Software *Email:* da...@qcode.co.uk | *Phone:* 01463 896 484 www.qcode.co.uk
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel