# Release 1.12.2

**Release Date**: July 9, 2026

> **INFO**
This release makes geographic matching and interpolation **X-Forwarded-For-safe** (opt-in through the Property Manager template), and raises the maximum origin **timeout to 10 minutes**.

## Geographic Matching

### X-Forwarded-For-safe geo resolution

Geographic values can be influenced by a client-supplied `X-Forwarded-For` header, which means a request could match a geo rule (or interpolate a `{{country}}` value) for a location the client is not actually in. This release resolves geo from the **true connecting IP** instead, when the property is configured to provide it.

Both geo **matching** (`geo`/`geo_country`, `continent`/`geo_continent`, `region`/`geo_region`, `city`/`geo_city`) and geo **interpolation** (`{{country}}`, `{{continent}}`, `{{region}}`, `{{city}}`) now prefer the XFF-safe value the property supplies, falling back to the request's default location (which takes X-Forwarded-For values into account) when it is not set. Matching and interpolation always resolve to the same value.

> **INFO**
This is backward compatible. Until the property is updated to template version 1.12.2 AND `eaas_geo_ignore_xff=on` is added into `PMUSER_TEMPLATE_ARGS` (see [Migration Guide](#enable-x-forwarded-for-safe-geo-resolution)), geo resolution behaves exactly as before.

## Origin Timeouts

### Maximum raised to 10 minutes

The `connectTimeout`, `firstByteTimeout`, and `readTimeout` origin timeout features now accept values up to **600,000 ms (10 minutes)**, raised from the previous maximum of 120,000 ms (2 minutes). The minimum is unchanged at 50 ms. This supports long-running origin responses such as large exports or streaming endpoints.

```json
{
  "delivery_config": {
    "version": "1.0",
    "onClientRequest": {
      "features": {
        "readTimeout": {
          "rules": [
            {
              "args": { "value": 600000 },
              "matchAll": { "paths_startswith": ["/export/"] }
            }
          ]
        }
      }
    }
  }
}
```

## Schema Changes

- `connectTimeout`, `firstByteTimeout`, and `readTimeout` maximum raised from `120000` to `600000` ms.

## Migration Guide

> **INFO**
Both changes are backward compatible. The timeout change requires no action. XFF-safe geo resolution is opt-in and takes effect only after the property is updated.

### Enable X-Forwarded-For-safe geo resolution

XFF-safe geo values are supplied by the **EaaS Property Manager template**, not by the tenant configuration. To turn it on for a property:

1. **Update the property to the EaaS PM template version 1.12.2 (or later).** The template adds a rule that reads the client's geo from the real connecting IP (`AK_CLIENT_REAL_IP`) rather than honoring `X-Forwarded-For`, and writes it into the `PMUSER_NOXFF_*` variables that EaaS reads.
2. **Set the `eaas_geo_ignore_xff=on` argument** in the property's `PMUSER_TEMPLATE_ARGS` variable. This flag gates the geo-population rule. In the 1.12.2 template it is included by default; confirm it is present and set to `on`.

Once both are in place, geo matching and `{{...}}` geo interpolation automatically resolve to the XFF-safe values — no tenant configuration change is required. To keep the previous behavior, leave `eaas_geo_ignore_xff` off (or unset).

## Resources

- [Delivery Configuration Documentation](/tenant-schemas/delivery-config)
- [Match Conditions Documentation](/tenant-schemas/match-conditions)
- [Security Configuration Documentation](/tenant-schemas/security-config)
- [Lists Reference](/tenant-schemas/lists)
- [Configuration Examples](/examples)
- [Tenant Schema (JSON)](/tenant-schema.json)

> **NOTE**
Questions or feedback? Please refer to the documentation or contact support.
