Honor X-Real-IP and / or X-Forwarded-For when behind a reverse proxy
When behind a reverse proxy, the log reports the proxy's IP address instead of the client's. Please provide a way to honor the 'X-Real-IP' and / or 'X-Forwarded-For' headers to retrieve the actual client's IP address.
I guess this is needed for the
dos whitelist to be effective as well.
I'm aware that these headers can be spoofed by the client. Several methods exist to mitigate this. See for example how it is done for the PeerTube service, using a list of trusted proxies' CIDRs.
Thanks in advance for considering.