Support multiple values in x-forwarded-for and internet proxies

mochi / mochiweb

MochiWeb is an Erlang library for building lightweight HTTP servers.

Other

1.86k stars 474 forks source link

Support multiple values in x-forwarded-for and internet proxies #227

Closed suexcxine closed 4 years ago

suexcxine commented 5 years ago

X-Forwarded-For:client, proxy1, proxy2

X-Forwarded-For may contain multiple values, So we need to replace lists:last to hd in order to get client ip, And whether it's from intranet or not, so remove 192.168 or 100 expressions.

etrepum commented 4 years ago

This can't be merged because it breaks backwards compatibility. The logic is done this way intentionally. Under a typical deployment scenario, there's one layer of proxies that you control, and that's all that can be trusted. If your proxy does not strip the XFF header from the client, this logic allows an attacker to spoof any address they like.