openlitespeed icon indicating copy to clipboard operation
openlitespeed copied to clipboard

Published 20 hours ago verified publisher icon litespeedtech

Default value for useipinproxyheader AKA Use Client IP in Header

Open MichaelHabib opened this issue 1 year ago • 1 comments

Hi,

Info

We discovered our hosting company has it set to YES and they're claiming that's the default value. I see this as a huge security risk, when anyone can easily spoof the IP by simply changing the x-forwaded-for header. Even LightSpeed docs warn agains it in https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:show-real-ip-behind-cloudflare

In our case, we expect the PHP REMOTE_ADDR to be the "last client", in our case that's the Proxy Server, but having useipinproxyheader set to YES means anyone can pretend to be from our network and gain access to IP blocked resources.

Questions :

What's the default value for useipinproxyheader ? After searching the repo, I see it's NULL, but what does that mean for a default installation ?

MichaelHabib avatar Jun 01 '23 08:06 MichaelHabib

Yes, default is "not set" which is not enabled

qtwrk avatar Jun 01 '23 12:06 qtwrk