SkyeYoung commented on code in PR #12551:
URL: https://github.com/apache/apisix/pull/12551#discussion_r2324529834
##########
conf/config.yaml.example:
##########
@@ -141,6 +141,10 @@ apisix:
# or (standalone mode) the config isn't
loaded yet either via file or Admin API.
# disable_upstream_healthcheck: false # A global switch for healthcheck.
Defaults to false.
# When set to true, it overrides all
upstream healthcheck configurations and globally disabling healthchecks.
+# trusted_addresses: # When configured, APISIX will trust the
`X-Forwarded-*` Headers
+# - 127.0.0.1 # passed in requests from the IP/CIDR in the
list.
+# - 172.18.0.0/16 # CAUTION: When not configured, APISIX will
remove `X-Forwarded-*` headers
Review Comment:
override. changed
##########
docs/en/latest/plugins/chaitin-waf.md:
##########
@@ -70,6 +70,10 @@ The response headers are listed below:
| config.keepalive_timeout | integer | false | 60000 | Idle
connection timeout, in milliseconds.
|
| config.real_client_ip | boolean | false | true |
Specifies whether to use the `X-Forwarded-For` as the client IP (if present).
If `false`, uses the direct client IP from the connection. |
+:::note
+Only `X-Forwarded-*` headers sent from addresses in the
`apisix.trusted_addresses` configuration (supports IP and CIDR) will be trusted
and passed to plugins or upstream. If `apisix.trusted_addresses` is not
configured or the IP is not within the configured address range, all
`X-Forwarded-*` headers will be discarded.
Review Comment:
done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
