Currently Plex is setup according to the Mozilla X-Forwarded-For IP Selection requirements, which is not necessarily a bad approach (although without any configuration in a reverse proxy may lead to ip spoofing), however it ignores local-ip ranges so any user with their server set to allow unauthenticated local connections should not be vulnerable to ip spoofing.
This falls apart, however, when a reverse proxy is introduced into the mix, whereby external users will correctly have their IP selected from the X-Forwarded-For, as it’s an external ip address, however users local to the reverse proxy will have their IP address incorrectly ignored, and it will be reported as coming from the reverse proxy’s ip, which is incorrect.
I propose that in order to facilitate both a sensible default, and more flexibility, Plex should implement the second/third recommendation on the aforementioned Mozilla documentation, namely allowing for the configuration of a “Trusted proxy count” and/or “Trusted proxy list”. This should supercede the rules for ignoring local-ip addresses, allowing administrators to explicitly configure it to trust either a certain number of hops, or allow-listing known trusted reverse proxies.
Just searching on the forums shows that there are many people for whom this would be useful, however no reply, stance, or justification has ever been provided for why this configuration is not permitted. https://forums.plex.tv/t/please-allow-local-network-detection-for-proxies-sending-x-forwarded-for-or-x-real-ip/160060, https://forums.plex.tv/t/x-forwarded-for-broken-when-ip-is-rfc1918/640686/4, https://forums.plex.tv/t/does-plex-ignore-x-real-ip-or-x-forwarded-for-in-the-headers-for-local-ip-addresses/826691.
