web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers \ --clear-untrusted-proxy-headers environment using X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Port: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; when using Apache, mod_proxy automatically forwards the following headers: X-Forwarded-For X-Forwarded-Host X-Forwarded-Server You will also want to add to Apache: RequestHeader set

web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers \ --clear-untrusted-proxy-headers environment using X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Port: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; when using Apache, mod_proxy automatically forwards the following headers: X-Forwarded-For X-Forwarded-Host X-Forwarded-Server You will also want to add to Apache: RequestHeader set

web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers \ --clear-untrusted-proxy-headers environment using X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Port: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; when using Apache, mod_proxy automatically forwards the following headers: X-Forwarded-For X-Forwarded-Host X-Forwarded-Server You will also want to add to Apache: RequestHeader set

environment using X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Port: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; when using Apache, mod_proxy automatically forwards the following headers: X-Forwarded-For X-Forwarded-Host X-Forwarded-Server 1.3. Using Behind a Reverse Proxy 7 waitress Documentation https Configure waitress’s trusted_proxy_headers as appropriate: trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x- ˓→forwarded-port" At this point waitress will set up

environment using X-Forwarded-Proto, X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Port: proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Port $server_port; when using Apache, mod_proxy automatically forwards the following headers: X-Forwarded-For X-Forwarded-Host X-Forwarded-Server 1.3. Using Behind a Reverse Proxy 7 waitress Documentation https Configure waitress’s trusted_proxy_headers as appropriate: trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x- ˓→forwarded-port" At this point waitress will set up

connections  L4 • Add IP in TCP Protocol options • Proxy Protocol  L7 • HTTP header “x-forwarded-for” • User Protocol #IstioCon LVS ① user send traffic to LVS ② PREROUTING chain intercept which of the two versions is present. - Proxy Protocol Transport Socket #IstioCon HTTP XFF x-forwarded-for (XFF) is a standard proxy header which indicates the IP addresses that a request has flowed Pod2：10.244.0.25 Dest: 127.0.0.1 Src：127.0.0.1 XFF: 10.244.0.20 XFF: 10.244.0.20 ① Enable X-Forwarded-For HTTP header in svcA #IstioCon Preserve HTTP Original Src Addr - ingress svcB envoy envoy

the client requests Connection: keep-alive). If xheaders is True, we support the X-Real-Ip/X-Forwarded-For and X-Scheme/X-Forwarded-Proto headers, which override the remote IP and URI scheme/protocol SSL-decoding proxy that does not set one of the supported xheaders. By default, when parsing the X-Forwarded-For header, Tornado will select the last (i.e., the closest) address on the list of hosts as the may be passed as the trusted_downstream argument. These hosts will be skipped when parsing the X-Forwarded-For header. To make this server serve SSL traffic, send the ssl_options keyword argument with an

the client requests Connection: keep-alive). If xheaders is True, we support the X-Real-Ip/X-Forwarded-For and X-Scheme/X-Forwarded-Proto headers, which override the remote IP and URI scheme/protocol SSL-decoding proxy that does not set one of the supported xheaders. By default, when parsing the X-Forwarded-For header, Tornado will select the last (i.e., the closest) address on the list of hosts as the may be passed as the trusted_downstream argument. These hosts will be skipped when parsing the X-Forwarded-For header. To make this server serve SSL traffic, send the ssl_options keyword argument with an

the client requests Connection: keep-alive). If xheaders is True, we support the X-Real-Ip/X-Forwarded-For and X-Scheme/X-Forwarded-Proto headers, which override the remote IP and URI scheme/protocol SSL-decoding proxy that does not set one of the supported xheaders. By default, when parsing the X-Forwarded-For header, Tornado will select the last (i.e., the closest) address on the list of hosts as the may be passed as the trusted_downstream argument. These hosts will be skipped when parsing the X-Forwarded-For header. To make this server serve SSL traffic, send the ssl_options keyword argument with an

clients 79 Tornado Documentation, Release 6.0.4 If xheaders is True, we support the X-Real-Ip/X-Forwarded-For and X-Scheme/X-Forwarded-Proto headers, which override the remote IP and URI scheme/protocol SSL-decoding proxy that does not set one of the supported xheaders. By default, when parsing the X-Forwarded-For header, Tornado will select the last (i.e., the closest) address on the list of hosts as the may be passed as the trusted_downstream argument. These hosts will be skipped when parsing the X-Forwarded-For header. To make this server serve SSL traffic, send the ssl_options keyword argument with an