Differences

This shows you the differences between two versions of the page.

--- config:trustedproxy [2020-05-06 12:34] – [See also] use [[issue>]] for github issue, instead of [[bug>]] Klap-in
+++ config:trustedproxy [2022-12-10 00:53] (current) – old revision restored (2020-11-15 23:25) Klap-in
@@ Line 1: / Line 1: @@
 ====== Configuration Setting: trustedproxy ======
-DokuWiki uses the requesting IP address for logging anonymous edits, locking pages etc.
+DokuWiki uses the requesting IP address for logging anonymous edits, locking pages, and signing auth cookies etc.
-When running it behind a reverse proxy, the directly requesting IP is always the Proxy-Address which is useless for the mentioned purpose. Instead the ''HTTP_X_FORWARDED_FOR'' and ''HTTP_X_REAL_IP'' headers are used to determine the original IP address.
+When running it behind a reverse proxy, the directly requesting IP is always the proxy address which is useless for the mentioned purpose. Instead the ''HTTP_X_FORWARDED_FOR'' and ''HTTP_X_REAL_IP'' headers are used to determine the original IP address.
-To avoid that malicious users could spoof this header, it is only trusted if the request is coming from an IP matching the regular expression in in this setting.
+Starting Hogfather, this header is only trusted if the request is coming from an IP matching the regular expression in this config option, to avoid that malicious users spoof this header. Before Hogfather, the code had some check against local IP address, but the behavior was non-standard and not secure enough.
-The default trusts local network IPs only. Emptying this setting will make DokuWiki never trust the forward headers.
+The default value trusts local network IPs only. Emptying this setting will make DokuWiki never trust the forward headers.
   * Type: String