Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'

author: Robin McCorkell <rmccorkell@karoshi.org.uk> 2015-07-25 18:10:21 +0100
committer: Thomas Müller <thomas.mueller@tmit.eu> 2015-08-10 23:04:52 +0200
commit: 8944af57cbd1fd2962b6adeaed76c6cd41712453 (patch)
tree: 5a7807b7deef2eacb50afb42912acb828c382c7a /config
parent: 9650f3ecbebfc7c7cc30b787acae3490b0f4e6b5 (diff)
download: nextcloud-server-8944af57cbd1fd2962b6adeaed76c6cd41712453.tar.gz
nextcloud-server-8944af57cbd1fd2962b6adeaed76c6cd41712453.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/config/config.sample.php b/config/config.sample.php
index 3b5632087f6..5c362e94250 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -1017,7 +1017,13 @@ $CONFIG = array(
 
 /**
  * Headers that should be trusted as client IP address in combination with
- * `trusted_proxies`
+ * `trusted_proxies`. If the HTTP header looks like 'X-Forwarded-For', then use
+ * 'HTTP_X_FORWARDED_FOR' here.
+ *
+ * If set incorrectly, a client can spoof their IP address as visible to
+ * ownCloud, bypassing access controls and making logs useless!
+ *
+ * Defaults to 'HTTP_X_FORWARED_FOR' if unset
  */
 'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),
author	Robin McCorkell <rmccorkell@karoshi.org.uk>	2015-07-25 18:10:21 +0100
committer	Thomas Müller <thomas.mueller@tmit.eu>	2015-08-10 23:04:52 +0200
commit	8944af57cbd1fd2962b6adeaed76c6cd41712453 (patch)
tree	5a7807b7deef2eacb50afb42912acb828c382c7a /config
parent	9650f3ecbebfc7c7cc30b787acae3490b0f4e6b5 (diff)
download	nextcloud-server-8944af57cbd1fd2962b6adeaed76c6cd41712453.tar.gz nextcloud-server-8944af57cbd1fd2962b6adeaed76c6cd41712453.zip