nginx's X-Forwarded-For is $proxy_add_x_forwarded_for, which only appends to whatever the client sends — a forged leftmost hop passed straight through, letting an attacker rotate spoofed values to dodge the 5s login cooldown. X-Real-IP is set by nginx to $remote_addr on every proxied location and can't be forged by the client, so key on that instead. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| compare | ||
| discord-go | ||
| inventory-go | ||
| nginx | ||
| tracker-go | ||
| .gitattributes | ||
| docker-compose.cutover.yml | ||
| docker-compose.go.yml | ||