Trusting proxy IP
Apparently there is some custom header that could be use the get the real client IP and cannot be spoofed (
X-Envoy-External-Address or X-Real-Ip ?)
Sounds like I cannot trust those custom headers with Laravel https://laravel.com/docs/11.x/requests. Is there some proxy IP that could be trusted ?Solution:Jump to solution
X-Real-Ip is the header you trust as long as you arent running behind another proxy (cloudflare)
https://utilities.up.railway.app/raw...12 Replies
Project ID:
N/AN/A
Solution
X-Real-Ip is the header you trust as long as you arent running behind another proxy (cloudflare)
https://utilities.up.railway.app/rawUnfortunately it sounds like you cannot trust this header (which is railway specific I guess ?) with Laravel
its not railway specific in the slightest
X-Forwarded-For can also be trusted, as long as the right most value is usedOk, thank you.
Is it guarantee that the container be accessed directory ? So I could basiclly trust the IP sent in the TCP packets (that should be the proxy IP) ?
you can't access the application without first going through the http proxy
With Laravel this should be the way :
(not sure if I can change the title to be more Laravel specific)
make sure you are only trusting the right most value of that header
It only trust the IP that is making the request as a proxy. If the container can't be reached from outside it's fine.
Thank you !
I think you are misunderstanding, users can set that header and then your application will receive a list of IPs instead of a single value