acuteaura commented on issue #4942:
URL: https://github.com/apache/apisix/issues/4942#issuecomment-1812676091
for anyone from the future looking to have flattened XFF headers with a list
of explicit good IPs, this is what we ended up doing:
```
apiVersion: apisix.apache.org/v2
kind: ApisixGlobalRule
metadata:
name: real-ip
spec:
plugins:
- name: real-ip
enable: true
config:
recursive: true
source: http_x_forwarded_for
trusted_addresses:
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
- name: proxy-rewrite
enable: true
config:
headers:
remove:
- X-Forwarded-For
set:
X-Forwarded-Port: 443
```
This parses XFF and sets `$remote_addr` to the first untrusted IP, then
unsets XFF so it's not appended to in the nginx snippet and X-Forwarded-Port
just seems to be trusted blindly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
