Thanks Curtis, I just stumbled across this in the config file. Here are the questions please.
- Do XFF headers work?
- Is there a security issue setting trust_x_forwarded_for = on ??
- The default statement of “on” seems inaccurate for 2.4.x installs as we did not know it was there.
- Does enabling it break something else?
- Is there a way to be emailed when someone access the system via this mode?
Our section of config.
; Allow the X_FORWARDED_FOR header to override the REMOTE_ADDR as the source IP
; Set this to “On” if you are behind a reverse proxy and you control the X_FORWARDED_FOR
; Warning: This defaults to “On” if unset for backwards compatibility.
trust_x_forwarded_for = Off
Many Thanks!
radjr