Should there be warning in documentation on usage of $proxy_add_x_forwarded_for for X-Forwarded-For proxy header on edge proxies?
I keep seeing config examples with proxy settings like this: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Which doesn't make sense on edge servers as there's no way to trust the client-provided value. At best it just adds unnecessary complexity trying to figure out the last "trustworthy" entry. The correct value should be just $remote_addr (and thus drop client-provided values). I think $proxy_add_x_forwarded_for should only be used for proxies located behind another proxy. (or someone please correct me on this) _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
