* Only trusts X-Forwarded-For/X-Real-IP headers when the request comes from a trusted proxy.
     * @param request the HTTP request
     * @return the client IP address
     */
    public String getClientIp(final HttpServletRequest request) {
        final String remoteAddr = request.getRemoteAddr();

        // Only trust proxy headers if the request comes from a trusted proxy

        assertEquals("192.168.1.100", rateLimitHelper.getClientIp(request));
    }

    @Test
    public void test_getClientIp_xForwardedFor_trustedProxy() {
        // 127.0.0.1 is configured as a trusted proxy by default
        final MockletHttpServletRequest request = getMockRequest();
        request.setRemoteAddr("127.0.0.1");
        request.addHeader("X-Forwarded-For", "203.0.113.50, 70.41.3.18, 150.172.238.178");

   *
   *
   * The victim's gets a non-CA certificate signed by a CA, and pins the CA root and/or
   * intermediate. This is business as usual.
   *
   * ```
   *   pinnedRoot (trusted by CertificatePinner)
   *     -> pinnedIntermediate (trusted by CertificatePinner)
   *       -> realVictim
   * ```
   *
   * The attacker compromises a CA. They take the public key from an intermediate certificate

```

This handshake is successful because each party has prearranged to trust the root certificate that
signs the other party's chain.

Well-Known Certificate Authorities
----------------------------------

In these examples we've prearranged which root certificates to trust. But for regular HTTPS on the
Internet this set of trusted root certificates is usually provided by default by the host platform.

{{/*
Formats volumeMount for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolumeMount" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
  mountPath: {{ .Values.certsPath }}
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
- name: trusted-cert-secret-volume
  mountPath: {{ $casPath }}
{{- end }}

```
kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
```

If TLS is not enabled, you would need only the third party CA:

```
kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
```

    /**
     * Cache of trusted domains for DFS resolution
     */
    protected CacheEntry _domains = null; /* aka trusted domains cache */
    /**
     * Cache of DFS referrals
     */
    protected CacheEntry referrals = null;

    /**
     * Gets the map of trusted domains for DFS resolution
     * @param auth the authentication credentials
     * @return a map of trusted domain names to domain controllers

              //    chain
              // We can only do this for Trusted, because Trusted implementations of cancel do
              // nothing but delegate to this method and do not permit user overrides.
              AbstractFuture<?> trusted = (AbstractFuture<?>) futureToPropagateTo;
              localValue = trusted.value();
              if (localValue == null | localValue instanceof DelegatingToFuture) {

 *
 * <p>This interface is intended for internal use.</p>
 */
public interface DfsResolver {

    /**
     * Checks if a domain is trusted for DFS operations
     * @param tf the CIFS context
     * @param domain the domain name to check
     * @return whether the given domain is trusted
     * @throws CIFSException if the operation fails
     */
    boolean isTrustedDomain(CIFSContext tf, String domain) throws CIFSException;

		if err != nil {
			logger.Fatal(fmt.Errorf("invalid arguments passed, trusted user certificate authority public key file is not accessible: %v", err), "unable to start SFTP server")
		}

		globalSFTPTrustedCAPubkey, _, _, _, err = ssh.ParseAuthorizedKey(keyBytes)
		if err != nil {