quartje
commented
1 year ago If we have an apache that supports it, we might be able to switch to the PROXY protocol in the future, so this config is no longer needed.
Closed thijskh closed 1 year ago
quartje
commented
1 year ago If we have an apache that supports it, we might be able to switch to the PROXY protocol in the future, so this config is no longer needed.
tvdijen
commented
1 year ago If we have an apache that supports it [...]
I think you can replace it with Apache's remoteip-module, which is generally available.
thijskh
commented
1 year ago That is possible but would require to change all apps that do something with this themselves now back to not doing that.
tvdijen
commented
1 year ago Maybe I'm taking this too light, but all the apps do is catch the X_FORWARDER_FOR-header if it comes from a trusted proxy and replace the IP-address for internal use, right?
So if you move that logic to the webserver, your apps will remain working just fine.. All you have to remember is to clean up some code..? I'm using the remoteip module for years already and just keep the trusted_proxy setting to null.
Name of "engine"_trusted_proxy_ips might be a bit of a misnomer now but it's the correct variable to use.