Open Yoda-BZH opened 2 weeks ago
This is a good idea! It would help debugging traffic, by being more succint than the X-Forwarded-For
header.
The X-Real-Ip
is not part of any RFC, however, and seems to be used mainly by Nginx, and Apache too.
We can fear that backends served by Sōzu will look into this X-Real-Ip
header and behave in unpredictible ways. They may, for instance, compare its value with the list of IPs in the X-Forwarder-For
header (not itself part of the HTTP RFC) and decide to deny the traffic for whatever reason.
We could use a X-Real-Ip
-like header, but with a different name, unique to Sōzu (in the spirit of Sozu-Id
). How about X-Sozu-Remote-Addr
?
The behaviour would be:
X-Sozu-Remote-Addr
header is not present in the request, write itX-Sozu-Remote-Addr
is already present, overwrite it(commented after a discussion with @FlorentinDUBOIS and @Yoda-BZH)
sounds good :)
Hello,
Would it be possible to have the header
X-Real-IP
when sozu requests the backend ?Relying on X-Forwarded-For is unsecure as it may be forged by the client.
A typical request would look like :
Typical nginx configuration to declare X-Real-IP:
If the header already exists in the request, the field should be overwritten.