Hi,
In reverseproxymode, when there is a list of IPs in X-Forwarded-For header,
it's always the leftmost IP which is chosen by NaviServer for
accesslogs (and ns_conn peeraddr):
X-Forwarded-For 1.1.1.1,2.2.2.2
ns_conn peeraddr -source forwarded = 1.1.1.1
Is there any mechanism by which we can resolve to the rightmost IP for the
access logs instead?
X-Forwarded-For 1.1.1.1,2.2.2.2
ns_conn peeraddr -source forwarded = 2.2.2.2
The use case is, if we are behind a single reverse proxy, if X-Forwarded-For
already exists when hitting that proxy, the proxy will often append the
client IP to the contents of the header.
In these cases, we don't want to trust the original contents of the header,
only what was added by our trusted proxy - eg. the rightmost value.
The algorithm could be something like:
if { [llength $x-forwarded-for] > 1} {
if { [ns_conn peeraddr -source direct] in $trusted_subnet } {
set client_ip [lindex $x-forwarded-for end]
}
}
We can currently do this programmatically by inspecting the headers
themselves, but the IP in the access logs would, I think, still be the
untrusted IP.
(This is really a limitation of the X-Forwarded-For mechanism itself, hence
why it is being superseded by the Forwarded header.)
Nginx have a config mechanism to try to express this which includes
specifying the subnets or IP addresses you trust:
https://nginx.org/en/docs/http/ngx_http_realip_module.html
In NaviServer, it could be something like:
ns_param reverseproxymode "true"
ns_param reverseproxytrust [list 192.168.1.21 192.168.2.0/24]
Any suggestions on what is best to do here?
--
*David Osborne | Software Engineer*
Qcode Software
*Email:* da...@qcode.co.uk | *Phone:* 01463 896 484
www.qcode.co.uk
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
