mirror of
https://github.com/discourse/discourse.git
synced 2025-02-24 10:17:56 +08:00
3764c6d809
We are scrubbing the `Client-Ip` request header at the nginx proxy because it is not a request header which we have decided to trust. Our application should only use the `X-Fowarded-For` request header instead. This change helps to resolve `ActionDispatch::RemoteIp::IpSpoofAttackError` errors from being raised by the `ActionDispatch::RemoteIp` when the request headers contains both `Client-Ip` and `X-Forwarded-For`. At the time of writing, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For also states that "The HTTP X-Forwarded-For (XFF) request header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server."