Comment 6 for bug 1563954

There is a 3rd option which IMO is slightly less terrible but probably still an ops wart.

* Add a config option that is the list of trusted IPs (ie proxy servers) and only use the X-Forwarded-For header if the actual peer address is in that list. There is no sane default that will work for ops so if we go this way we'll need to call it out in the release notes / OSSA

Yes this moves the trust issue to the proxy server/load balancer squid[1] and f5 have trivial ways to do that.

[1] http://www.squid-cache.org/Doc/config/forwarded_for/
[2] https://devcentral.f5.com/questions/prevent-x-forwarded-for-spoofing