Comment 1 for bug 1843577

I remember that there was a version of the patch that respected X-Forwarded-For, but I was worried about clients adding the header themselves and bypassing the IP restriction. Maybe it'd be ok as an opt-in config option to look at X-Forwarded-For/Forwarded headers, though? If an operator *knows* they only have swift binding to localhost while haproxy/apache/whatever-else has the publicly-accessible port, I suppose it seems safe enough...

What proxy do you have fronting swift? Does it support haproxy's PROXY protocol? I've had pretty good luck with https://github.com/openstack/swift/commit/661838d since we introduced it, and the either-or nature of it seems less risky (to me) than looking for a header which either

* isn't present at all,
* is present and was sent by an internal-to-the-cluster load-balancer or such, or
* is present and was sent by a client.