tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50453] Multiple X-Forwarded-For headers not handled by RemoteIP valve
Date Fri, 10 Dec 2010 20:25:03 GMT

--- Comment #5 from William A. Rowe Jr. <> 2010-12-10 15:24:59 EST ---
Rainer, the spec is absolutely clear about precidence, the last (rightmost)
value is added by the nearest adjacent proxy to the server agent.  Ergo, the
first (leftmost) value was added by the proxy closest to the user agent.

mod_remoteip uses this in combination of proxy trust metrics to determine how
far back to unwind that from the rightmost value.  Perhaps only the proxies
under the control of the server administrator will be trusted, in which case
only the last or near-last value will be used, or perhaps all servers are
trusted and any arbitrary value presented by any proxy will be accepted, in
which case the first value is used.

It entirely depends on what the administrator wants, either trusted values of
X-Forwarded-For presented by known proxy agents, or any arbitrary/potentially
spammed values.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message