X-Forwarded-For behaviour is not configurable.

[nakedible-p]

Right now the this layer automatically parses X-Forwarded-For and takes the leftmost value in there... or takes the TCP connection address if no header is present. This means that anyone can spoof client IP addresses by adding a X-Forwarded-For header.

It should be possible to disable looking at X-Forwarded-For, or to take the rightmost value from X-Forwarded-For instead (the one added by the latest load balancer...). For discussion on these things... see: https://crates.io/crates/axum-client-ip

[davidB]

Thanks for the information and the link. PR is welcome (I'll not have too much time to work on this crate before some days)

[davidB]

Comment (to myself for memory):

From https://github.com/open-telemetry/semantic-conventions/blob/main/semantic_conventions/trace/http.yaml

The IP address of the original client behind all proxies, if
known (e.g. from Forwarded,
X-Forwarded-For, or a similar header).
Otherwise, the immediate client peer address.

From X-Forwarded-For - HTTP | MDN

If a request goes through multiple proxies, the IP addresses of each successive proxy is listed. This means that, given well-behaved client and proxies, the rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.

So taking the leftmost is what we want "The IP address of the original client".

Notes: this attribute was removed with release 0.12 (but it come back with future release, if I don't forgot)