Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #31288, comment 10


Ignore:
Timestamp:
02/11/2015 02:43:52 AM (10 years ago)
Author:
chaoix
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #31288, comment 10

    initial v1  
    11What about in addition to checking the X-Forwarded-Proto header we also check Remote-Addr, a server set header against a filtered array of whitelisted load balancer IP addresses since the issue here isn't whether to use the X-Forwarded-Proto header but verifying the identity of the server sending it and the ability to not have load balancer heading checks enabled by default.
    22
    3 I am not convinced header manipulation is a not real concern though for this use case. Using the load balancer use case, the only traffic sent to the web server is through a VPN connection between the load balancers and the web servers. It is not possible for the web server to be access via port 80 directly.
     3I am not convinced header manipulation is a real concern though for this use case. Using the load balancer use case, the only traffic sent to the web server is through a VPN connection between the load balancers and the web servers. It is not possible for the web server to be access via port 80 directly.