Pass X-Forwarded-For and X-Forwarded-Proto headers as HTTP_X-FORWARDED-FOR and HTTP_X-FORWARDED-PROTO variables in the tracker environment array. Neither of these variables should be used by the code code unless config.ini params are added to control their use. I use the FORWARDED-FOR variable to disable the reCAPTCHA extenxaion check if it is a local address using: if 'HTTP_X-FORWARDED-FOR' in self.client.env: # if proxied from client at local site, don't validate captcha # used for running automated tests. clientip=self.client.env['HTTP_X-FORWARDED-FOR'].split(',')[0] if clientip.startswith("192.168.10."): secret="none" I run a front end web server that proxies over loopback to the running roundup-server. So I feel I can trust the X-Forwarded-For header. In other setup's that may not be true. Hence the requirement that it not be used in core roundup code without allowing the roundup admin the ability to disable it.

--- a/CHANGES.txt	Fri Oct 06 21:35:28 2017 -0400
+++ b/CHANGES.txt	Mon Oct 09 17:54:54 2017 -0400
@@ -209,6 +209,13 @@
   from the templating class to the hyperdb. (John Rouillard)
 - Improves diagnostics for mail processing: When using logging level = DEBUG,
   bounces and bounce problems are logged. (Bernhard Reiter)
+- In roundup-server, pass X-Forwarded-For and X-Forwarded-Proto
+  headers as the environment variables: HTTP_X-FORWARDED-FOR and
+  HTTP_X_FORWARDED_PROTO. If the user is running roundup server behind
+  a proxy, these headers allow the user to write extensions that can
+  figure out the original client ip and protocol. None of the core
+  roundup code uses these headers/env vars. These headers can be
+  spoofed by bad proxies etc. so you have been warned.
 
 Fixed: