From 7f08f10c37e36c565563c1e5c4a598e7a7a056ac Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sat, 9 Mar 2024 20:30:20 +0000
Subject: [PATCH] stop recommending `--xff-src=any`;

running behind cloudflare doesn't necessarily
mean being accessible ONLY through cloudflare

also include a general warning about optimal
configuration for non-cloudflare intermediates
---
 copyparty/httpcli.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index a97c32ce..818498d0 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -319,7 +319,9 @@ class HttpCli(object):
                 if self.args.xff_re and not self.args.xff_re.match(pip):
                     t = 'got header "%s" from untrusted source "%s" claiming the true client ip is "%s" (raw value: "%s");  if you trust this, you must allowlist this proxy with "--xff-src=%s"'
                     if self.headers.get("cf-connecting-ip"):
-                        t += "  Alternatively, if you are behind cloudflare, it is better to specify these two instead:  --xff-hdr=cf-connecting-ip  --xff-src=any"
+                        t += '  Note: if you are behind cloudflare, then this default header is not a good choice; please first make sure your local reverse-proxy (if any) does not allow non-cloudflare IPs from providing cf-* headers, and then add this additional global setting: "--xff-hdr=cf-connecting-ip"'
+                    else:
+                        t += '  Note: depending on your reverse-proxy, and/or WAF, and/or other intermediates, you may want to read the true client IP from another header by also specifying "--xff-hdr=SomeOtherHeader"'
                     zs = (
                         ".".join(pip.split(".")[:2]) + "."
                         if "." in pip