aptible config:set --app "$APP_HANDLE" "IGNORE_INVALID_HEADERS=off"
.X-Forwarded-Proto
http
or https
.
X-Forwarded-For
X-Forwarded-For
header is structured as a comma-separated list of IP addresses. It is generated by proxies that handle the request from an end-user to your app (each proxy appends the client IP they see to the header).
Here are a few examples:
$USER_IP,$ALB_IP
.
However, be mindful that end-users may themselves set the X-Forwarded-For
in their request (typically if they’re trying to spoof some IP address validation performed in your app). This means the header might look like this: $SPOOFED_IP_A,$SPOOFED_IP_B,$SPOOFED_IP_C,$USER_IP,$ALB_IP
.
When processing the X-Forwarded-For
header, it is important that you always start from the end and work you way back to the IP you’re looking for. In this scenario, this means you should look at the second-to-last IP address in the X-Forwarded-For
header.
X-Forwarded-For
if you’re unsure), the X-Forwarded-For
header will look like this: $USER_IP,$CDN_IP,$ALB_IP
.
Similarly to the example above, keep in mind that the user can inject arbitrary IPs at the head of the list in the X-Forwarded-For
header. For example, the header could look like this: $SPOOFED_IP_A,$SPOOFED_IP_B,$USER_IP,$CDN_IP,$ALB_IP
.
So, in this case, you need to look at the third-to-last IP address in the X-Forwarded-For
header.
X-Forwarded-For
header.