We may be selecting the wrong element from X-Forwarded-For lists, and getting a good-enough result because it's rare that this list contains more than one element. If the element selection is incorrect, several things should be updated.
Description
Description
Revisions and Commits
Revisions and Commits
Event Timeline
Comment Actions
Our behavior appears to be correct when the load balancer is an AWS ELB.
If I make a request with the header X-Forwarded-For: AAAA, BBBB, the host receives a request with the header like X-Forwarded-For: AAAA, BBBB, 1.2.3.4, where 1.2.3.4 is the my actual address.
This is actually consistent with the documentation referenced in the linked thread, I think the reporter actually needs to take the second-to-last element.
So I think we're largely good here, but support could be improved by loading a small library before loading preamble.php and providing something like preamble_trust_x_forwarded_for_http_header(N = 1), where N is the number of load balancers to trust.