I think that should be merged up once merged into 3.x but will let that up to @wilsonge and @rdeutz

This one is slightly different as it has the protection on the new /api endpoint as well.

Anything I can do to make it easier for @wilsonge to "merge up" I will do, easier for him just to hit a merge button :)

Code blocks rearranged to satisfy comments on the Joomla 3 version of this PR.

I have tested this item ✅ successfully on b5a00e5

The PR fixes the issue by not allowing IP override when the new option "Behind Load Balancer" is switched off (default).

When the option is switched on, IP override is still allowed (and has to be, otherwise the load balancer or similar would not work).

Tested with help of Firefox' developer tools.

I think we should use this PR as it is and consider to make enhancements like mentioned here #32866 (comment) with future PR's. For those I am open for "softening" the new feature policy and consider them for 4.0, as they can be considered to be security enhancements, as long as fully b/c. But that's just my personal opinion, I don't speak for anyone else.

Questions: Should there be a hint in release notes to switch the new option on with a clear description of when it has to be done and when not?

A postinstall message about the new configuration option will be added by the J3 PR #32866 . This will be merged up into 3.10-dev, too, and so still will be there when people have updated their 3.10 to 4. So nothing more to do here, this PR is fine as it is, as far as I can see.

Hi,

The rest of the fields don't have a description.

Why this particular field need this description "If your site is behind a load balancer or reverse proxy (CloudFlare, Sucuri etc.) enable this setting so that IP addresses and other configurations within Joomla automatically take this into account."?

a. We have a description to all fields2
b. We don't have a description unless there is a very good reason. ("Behind Load Balancer" is a border case).

Because this is a complex new setting I guess we just need to expound it.

"CloudFlare, Sucuri " have been removed from the Joomla 3 version of this PR and probably will be from this one too

It is weird at the UX level to have a single field for a border case with a detailed description (even if it a cool description ;-) ).

I mean we could easily argue that most of the fields in the Global Configuration require knowledge about what you are doing.

I feel somehow like sitting in the middle of you now, listening you, and thinking you are both right somehow.

Yes, it's not consistent to have descriptions there.

But yes, I think this setting is one of those where I personally need a description.

Fact is that maintainers were happy with it having a description for merging into Joomla 3....

... but then one would hope this is not so "new a feature" in Joomla 4 that people would not need it spelling out to them?

... but then one would hope this is not so "new a feature" in Joomla 4 that people would not need it spelling out to them?

That could be right, too. I'm ok with both, with or without description in J4.

Closing this as its already been merged into Joomla 3, and so will "eventually" make its way into Joomla 4

At that time (depending on my mood) I will revisit the /api endpoint. The rest is already in Joomla 3.

This has now made it's way into J4. I believe I have also sorted the api endpoint whilst i was doing the conflicts

Thanks - looks to be there correctly and I have tested it and it works as expected both behind a proxy and without a proxy.