[wp-trac] [WordPress Trac] #9235: Extract real IP behind a load balancer
WordPress Trac
wp-trac at lists.automattic.com
Fri Jul 31 09:28:54 UTC 2009
#9235: Extract real IP behind a load balancer
-------------------------------------------+--------------------------------
Reporter: Denis-de-Bernardy | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone: 2.9
Component: Optimization | Version: 2.7
Severity: normal | Resolution: wontfix
Keywords: has-patch tested commit early |
-------------------------------------------+--------------------------------
Changes (by markjaquith):
* status: assigned => closed
* resolution: => wontfix
Comment:
Using another header for the real IP requires knowledge about how the
server is setup. You'd need a whitelist of internal addresses so that
people couldn't fool your system into accepting an incorrect IP address.
Take a look at Apache's mod_rpaf:
http://stderr.net/apache/rpaf/
That's what I use to give Apache the correct IP address from nginx. But
it's whitelisted so that if you do manage to connect to Apache directly,
you can't fill in that header and have Apache use it.
I don't think that this belongs at the application level. Closing as
WONTFIX, but if someone feels really strongly about this, reopen and make
your case for why doing it at the app level is better than doing it at the
HTTP server level.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9235#comment:26>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list