Alternative to trustedProxies for cloud environments.

[MauByr]

I have a Play service that we have hosted on ECS in a VPC behind an ALB and want to log client IPs.

We can't establish the load balancers IP range to configure trustedProxies so have to set it to all IPs as per the docs suggest for cloud environments (https://www.playframework.com/documentation/3.0.x/HTTPServer#Trusting-all-proxies). However this leaves it open to spoofing as ALB doesn't have the capability to remove incoming X-Forwarded-For headers.

Currently I am able to get the correct remote address by manually extracting the rightmost entry in the X-Forwarded-For list, which we can always trust as the service is only accessible via the ALB.

Given this feels like quite a common scenario, I was wondering if it would make sense to have this functionality inbuilt into Play somehow.

For example, a config like play.http.forwarded.trustedLayerCount=1 which would allow us to set a number of trusted hops for the architecture where this is known and static but the actual IPs are not.

I'm happy to take a look at the implementation of this if it seems sensible.

[mkurz]

@MauByr Sorry for the delay. I think this is a good idea and we should add this feature. If you would provide a pull request that would be great.
You also might know other framework use similiar approaches, e.g. see

• https://expressjs.com/en/guide/behind-proxies.html
• https://docs.spring.io/spring-boot/how-to/webserver.html#howto.webserver.use-behind-a-proxy-server