Increase security of X-Forwarded-For header usage by using last ip by default #20341
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sgiehl
approved these changes
Feb 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
PR #17765 already added support to use the last ip in the X-Forwarded header list by adding the
proxy_ip_read_last_in_listconfig option, but by default it is false.This PR changes the default
global.ini.phpvalue toproxy_ip_read_last_in_list = 1As this is a potentially breaking change, the following tasks are also need to be completed:
✔️ Developer change log updated
✔️ Update the guide in https://matomo.org/faq/how-to-install/faq_98/ to mention people may need to disable this feature if the first IP should be used.
Fixes #17202
Review