-
Notifications
You must be signed in to change notification settings - Fork 595
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow ignoring incoming headers that would be reported with extractClientIP #2924
Comments
extractClientIP gets its data from the possibly-untrustworthy What we could do is:
|
New remote-address-attribute feature added in #3051. |
|
I'm not sure I agree. What is the purpose of AFAICS it's not to get a safe/reliable/secure client IP: if you want to get the client IP reliably, you should use the attribute, or (if you have proxies in between) you should first make sure the proxies correctly set a certain header (which might be one of the
So looking at it that way, looking at the headers first and the attribute last in |
Yes, I think the header provided by proxies may be more suitable than the attribute when use extractClientIP. |
Yes, you are right, maybe we can/should just switch |
Depending from whom you receive these kinds of headers, they might not be trustworthy (you might trust your reverse proxy but you cannot trust headers from any kind of client). So, you cannot distinguish headers from the client from headers by the akka-http infrastructure.
An alternative could be to put remote address information into a message attribute in 10.2.x.
When done, review documentation (also wrt to changes added in #2922).
TODO list:
remote-address-attribute
feature (core: add akka.http.server.remote-address-attribute #2924 #3051)extractClientIp
remote-address-header
featureThe text was updated successfully, but these errors were encountered: