Skip to content

Commit

Permalink
Merge pull request #377 from johannesx75/patch-3
Browse files Browse the repository at this point in the history
DOC Mention that SS_TRUSTED_PROXY_IPS supports subnets
  • Loading branch information
GuySartorelli authored Oct 19, 2023
2 parents c2bb37f + 3e54617 commit cf82bdd
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion en/02_Developer_Guides/09_Security/04_Secure_Coding.md
Original file line number Diff line number Diff line change
Expand Up @@ -673,6 +673,13 @@ server IPs using the SS_TRUSTED_PROXY_IPS define in your `.env`.
SS_TRUSTED_PROXY_IPS="127.0.0.1,192.168.0.1"
```
You can also whitelist subnets in CIDR notation if you don't know the exact IP of a trusted proxy.
For example, some cloud provider load balancers don't have fixed IPs.
```
SS_TRUSTED_PROXY_IPS="10.10.0.0/24,10.10.1.0/24,10.10.2.0/24"
```
If you wish to change the headers that are used to find the proxy information, you should reconfigure the
TrustedProxyMiddleware service:
Expand All @@ -695,7 +702,7 @@ At the same time, you'll also need to define which headers you trust from these

If there is no proxy server, 'none' can be used to distrust all clients.
If only trusted servers will make requests then you can use '*' to trust all clients.
Otherwise a comma separated list of individual IP addresses should be declared.
Otherwise a comma separated list of individual IP addresses (or subnets in CIDR notation) should be declared.

This behaviour is enabled whenever `SS_TRUSTED_PROXY_IPS` is defined, or if the
`BlockUntrustedIPs` environment variable is declared. It is advisable to include the
Expand Down

0 comments on commit cf82bdd

Please sign in to comment.