Get IP from "standard" HTTP headers #3287
Comments
matrixbot
added
good first issue
|
This comment was originally posted by @S7evinK at matrix-org/dendrite#3287 (comment). Change somewhere here (or in this file): |
|
This comment was originally posted by @zbig-t at matrix-org/dendrite#3287 (comment). Thanks, I think (hope) that's not beyond my abilities. Will create a PR once I mange to take care of that. |
|
This comment was originally posted by @Curious-r at matrix-org/dendrite#3287 (comment). I think it's necessary. |
|
This comment was originally posted by @bones-was-here at matrix-org/dendrite#3287 (comment). None of these headers are safe to trust in the default configuration, unless Dendrite will never use the information for anything important. To be trustworthy the IP header must be set by a trusted reverse proxy that also discards any (potentially spoofed) information it receives in these headers. The various proxy implementations have different default behaviours, might not be using their defaults, or the admin might not be using a proxy at all. |
This issue was originally created by @S7evinK at matrix-org/dendrite#3287.
...
But, if I may, do you think Dendrite should perhaps auto-try any of the standard "this is the client's real IP" headers automatically? Do you see any downsides in doing that? For what it's worth, from my limited self-hosting experience, many applications do it automatically, given the current trends in hosting stuff (everything behind reverse proxy or ingress or whatever)
Best regards
Zbig
Originally posted by @zbig-t in matrix-org/dendrite#3286 (comment)
The text was updated successfully, but these errors were encountered: