I want to know why it is stated Do not append proxy IP addresses to the x-forwarded-for HTTP header. in the docs?
Why we should not append proxy ip address to x-forwarded-for? (i assume the proxy address refers to pomerium’s envoy ip address right?) I have read the envoy docs but do not really get it , because envoy does not state we should not append it.
Also, What is the default setting for use_remote_address in pomerium’s envoy?
and i don’t see the X-Forwarded-For Header in my request header? ( client → pomerium → httpbin.org/get)?
I see in the code that the use_remote_address is true
And skip_xff_append is false by default in pomerium.
Which means that according to envoy docs with use_remote_address :true ; skip_xff_append:false this will append the x-forwarded-for by default.
Envoy will only append to XFF if the use_remote_address HTTP connection manager option is set to true and the skip_xff_append is set false. This means that if use_remote_address is false (which is the default) or skip_xff_append is true, the connection manager operates in a transparent mode where it does not modify XFF.
If the docs state Do not append proxy IP addresses to the x-forwarded-for HTTP header.
Why so the default values are appending the xff ? So we should always set skip_xff_append to true?
Do not append proxy IP addresses to the x-forwarded-for HTTP header.
is intended as a description of the behavior that Pomerium will exhibit when this option is set to true. It is not intended as a recommendation. The default behavior should be appropriate for most use cases, and there is no need to set skip_xff_append unless your use case requires it.
I’ll see if I can update the wording in the documentation to help make this clearer.
