... and will validate the incoming forwarded headers to verify that they are trusted, taking the first untrusted IP address that it finds as the reported user remote address .
What am I missing here?
Play provides a configuration option to configure a list of trusted proxies, and will validate the incoming forwarded headers to verify that they are trusted
The documentation saysPlay provides a configuration option to configure a list of trusted proxies, and will validate the incoming forwarded headers to verify that they are trustedAfter looking at the source code again I think you're right, the immediate connection is checked against the trusted proxy list, too. Not only the incoming forwarded headers.
So knowing the address range of the immediate connection would solve the problem.
On Friday, February 16, 2018 at 7:05:37 AM UTC+1, Dominic Scheirlinck wrote:On Friday, February 16, 2018 at 6:57:37 AM UTC+13, Simon wrote:What am I missing here?Just that the approach to parsing forwarded headers is to append the immediate connection address (default value of request.remoteAddress) to the end of the sequence of IPs obtained from the forwarded header before processing that sequence.So, if the immediate connection address isn't in the trusted proxies, it's used in preference to the one at the end of the forwarded header (because this scenario implies a untrusted address connecting directly to the server).
--
You received this message because you are subscribed to the Google Groups "Play Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/fb3a9101-f5c7-4a6d-b8e8-f2aa7db311cc%40googlegroups.com.
The immediate connection address has to be checked to tell if you can trust the forwarded headers you're getting. Otherwise anyone could send you fake forwarded headers.
play.http.forwarded.trustImmediateConnection
would be great.