Refine useXForwardedForIP option by setting trusted proxies
It has sense to store X-Forwarded-For IP address as client IP (cf ##486 (closed)), but manager's 'useXForwardedForIP' option set to 'on' or 'off' is not enough :
- if it is set to 'on', as anybody can forge his own "X-Forwarded-For" HTTP Header, client IP is not reliable
- if it is set to 'off', plenty of users may appear with the same IP address (that is, a proxy's IP address), so client IP has little sense.
Instead of 'useXForwardedForIP' option, it would be nice to set a list of trusted proxies, defined by IP address or domain name (or possibly by a regexp on IP address) :
- if the list is empty, never use X-Forwarded-For address (amounts to useXForwardedFor set to false)
- if the list contains '*', always use X-Forwarded-For address as IP address (amounts to useXForwardedFor set to true)
- else, replace IP address with last X-Forwarded-For address, as long as IP address belongs to a trusted proxy.