Details
-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 5.10.0-b2
-
Fix Version/s: 5.12.0-b1
-
Component/s: None
-
Labels:None
Description
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server.
We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6.
Here is the RFC https://datatracker.ietf.org/doc/html/rfc7239
Note that IPs may contain ports and other data, examples:
Forwarded: for="_gazonk"
Forwarded: For="[2001:db8:cafe::17]:4711"
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
Forwarded: for=192.0.2.43, for=198.51.100.17
