a year ago
Apparently there is some custom header that could be use the get the real client IP and cannot be spoofed (X-Envoy-External-Address or X-Real-Ip ?)
Sounds like I cannot trust those custom headers with Laravel https://laravel.com/docs/11.x/requests. Is there some proxy IP that could be trusted ?
13 Replies
a year ago
X-Real-Ip is the header you trust as long as you arent running behind another proxy (cloudflare)
Unfortunately it sounds like you cannot trust this header (which is railway specific I guess ?) with Laravel
a year ago
its not railway specific in the slightest
a year ago
X-Forwarded-For can also be trusted, as long as the right most value is used
Ok, thank you.
Is it guarantee that the container be accessed directory ? So I could basiclly trust the IP sent in the TCP packets (that should be the proxy IP) ?
a year ago
you can't access the application without first going through the http proxy
a year ago
make sure you are only trusting the right most value of that header
It only trust the IP that is making the request as a proxy. If the container can't be reached from outside it's fine.
a year ago
I think you are misunderstanding, users can set that header and then your application will receive a list of IPs instead of a single value