Closed suexcxine closed 4 years ago
This can't be merged because it breaks backwards compatibility. The logic is done this way intentionally. Under a typical deployment scenario, there's one layer of proxies that you control, and that's all that can be trusted. If your proxy does not strip the XFF header from the client, this logic allows an attacker to spoof any address they like.
X-Forwarded-For may contain multiple values, So we need to replace
lists:last
tohd
in order to get client ip, And whether it's from intranet or not, so remove 192.168 or 100 expressions.