Reverse Proxy Standards

[Veesh Goldman]

I'm currently working on a project using Google's App Engine. I noticed an issue with the reverse proxy feature, that mojolicious pulls the last entry from the header (the X-Forwarded-For header is a list of the proxies that the request traversed). The way google sets it up is that the first entry is the actual request ip, not the last entry.

Is this a nonstandard move on Google's half, or on Mojo's?

[Dan Book]

It can't use the first entry, because each reverse proxy will append to the header, and so the first one could be anything supplied by the user. This is also why reverse proxy detection must be opted into to begin with. You can use https://metacpan.org/pod/Mojolicious::Plugin::ForwardedFor to specify how many reverse proxy levels you are deploying behind to retrieve the correct address.

-Dan

On Sun, May 19, 2019 at 3:23 PM Veesh Goldman <rabbi...@gmail.com> wrote:

I'm currently working on a project using Google's App Engine. I noticed an issue with the reverse proxy feature, that mojolicious pulls the last entry from the header (the X-Forwarded-For header is a list of the proxies that the request traversed). The way google sets it up is that the first entry is the actual request ip, not the last entry.

Is this a nonstandard move on Google's half, or on Mojo's?

--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
To view this discussion on the web visit https://groups.google.com/d/msgid/mojolicious/CAO-W_8C9BFq3qhEcrwyDOttnqQvFuHTuii52UO7h5BmmLcSPVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.