*
 * <p>This interface is intended for internal use.</p>
 */
public interface DfsResolver {

    /**
     * Checks if a domain is trusted for DFS operations
     * @param tf the CIFS context
     * @param domain the domain name to check
     * @return whether the given domain is trusted
     * @throws CIFSException if the operation fails
     */
    boolean isTrustedDomain(CIFSContext tf, String domain) throws CIFSException;

-----------------------

The above example uses a self-signed certificate. This is convenient for testing but not
representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The

    /**
     * Cache of trusted domains for DFS resolution
     */
    protected CacheEntry _domains = null; /* aka trusted domains cache */
    /**
     * Cache of DFS referrals
     */
    protected CacheEntry referrals = null;

    /**
     * Gets the map of trusted domains for DFS resolution
     * @param auth the authentication credentials
     * @return a map of trusted domain names to domain controllers

		if err != nil {
			logger.Fatal(fmt.Errorf("invalid arguments passed, trusted user certificate authority public key file is not accessible: %v", err), "unable to start SFTP server")
		}

		globalSFTPTrustedCAPubkey, _, _, _, err = ssh.ParseAuthorizedKey(keyBytes)
		if err != nil {

* Caddy (that can also handle certificate renewals)
* Nginx
* HAProxy

## Let's Encrypt { #lets-encrypt }

Before Let's Encrypt, these **HTTPS certificates** were sold by trusted third parties.

The process to acquire one of these certificates used to be cumbersome, require quite some paperwork and the certificates were quite expensive.

    /** The SAM database does not have a computer account for this workstation trust relationship */
    int NT_STATUS_NO_TRUST_SAM_ACCOUNT = 0xC000018b;
    /** The trust relationship between the primary domain and the trusted domain failed */
    int NT_STATUS_TRUSTED_DOMAIN_FAILURE = 0xC000018c;
    /** The trust relationship between this workstation and the primary domain failed */
    int NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE = 0xC000018d;

    /** The SAM database does not have a computer account for this workstation trust relationship */
    int NT_STATUS_NO_TRUST_SAM_ACCOUNT = 0xC000018b;
    /** The trust relationship between the primary domain and the trusted domain failed */
    int NT_STATUS_TRUSTED_DOMAIN_FAILURE = 0xC000018c;
    /** The account used is a computer account */
    int NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT = 0xC0000199;

You can start FastAPI CLI with the *CLI Option* `--forwarded-allow-ips` and pass the IP addresses that should be trusted to read those forwarded headers.

If you set it to `--forwarded-allow-ips="*"` it would trust all the incoming IPs.

If your **server** is behind a trusted **proxy** and only the proxy talks to it, this would make it accept whatever is the IP of that **proxy**.

<div class="termy">

```console

    version of the library.

5.  Our classes are not designed to protect against a malicious caller. You
    should not use them for communication between trusted and untrusted code.

6.  For the mainline flavor, we test the libraries using OpenJDK 8, 11, and 17
    on Linux, with some additional testing on newer JDKs and on Windows. Some

		return
	}

	certificate := r.TLS.PeerCertificates[0]
	if !globalIAMSys.STSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
		_, err := certificate.Verify(x509.VerifyOptions{
			KeyUsages: []x509.ExtKeyUsage{
				x509.ExtKeyUsageClientAuth,
			},
			Intermediates: intermediates,
			Roots:         globalRootCAs,
		})