Opened 3 years ago
Last modified 2 years ago
#1486776 new Feature Patches
real ip across reverse proxy
| Reported by: | ajsouza | Owned by: | |
|---|---|---|---|
| Priority: | 7 | Milestone: | later |
| Component: | Core functionality | Version: | 0.4-beta |
| Severity: | normal | Keywords: | reverse proxy, real ip |
| Cc: | anjoel.s@… |
Description
With this patch session will be stored the real ip plus real ip address across the reverse proxy, more secure and avoiding session colision.
Need see around of source for same possible problems.
Attachments (1)
Change History (3)
Changed 3 years ago by ajsouza
comment:1 Changed 3 years ago by ajsouza
- Priority changed from 5 to 7
comment:2 Changed 2 years ago by amosjeffries
Note: See
TracTickets for help on using
tickets.
FYI: The change as submitted so far swaps one security risk for another equally bad.
XFF is trivially forged and to use its content a scan algorithm must be implemented using a list of trusted IPs and running from the RHS entry to LHS to detect the first non-trusted IP.