When a request contains either the X-Forwarded-For or Forwarded headers and the originating host is trusted, the client IP should be derived from there instead.
There needs to be a configuration option for trusting IPs, subnets and a wildcard for when you can't know the proxy IP/range beforehand (i.e. AWS CloudFront).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
https://symfony.com/doc/current/deployment/proxies.html
https://expressjs.com/en/guide/behind-proxies.html
When a request contains either the
X-Forwarded-FororForwardedheaders and the originating host is trusted, the client IP should be derived from there instead.There needs to be a configuration option for trusting IPs, subnets and a wildcard for when you can't know the proxy IP/range beforehand (i.e. AWS CloudFront).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
https://symfony.com/doc/current/deployment/proxies.html
https://expressjs.com/en/guide/behind-proxies.html