> On 23.04.2024, at 18:07, David Osborne <da...@qcode.co.uk> wrote: > > But the Client can initiate requests which have X-Forwarded-For Headers > already present, then we run into difficulties > > Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4 > | > Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1 > Proxy 2: sends X-Forwarded-For: 1.2.3.4,1.1.1.1,2.2.2.2 > Naviserver: peeraddr -source forwarded = 1.2.3.4
This is the case where proxy 1 should not accept the x-forwarded-for header from an untrusted upstream server. In case, proxy1 is a nginx server, it should use proxy_set_header X-Forwarded-For $remote_addr; for untrusted upstream requests. Therefore, proxy 2 will receive x-forwarded-for with 1.1.1.1, 2.2.2.2 etc. and everything is fine. > > We have got around this by using proxy2 to clobber the X-Forwared-For header > using the Nginx real_ip module which has the logic that it will use the > rightmost IP if from a trusted peer. > > Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4 > | > Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1 > Proxy 2: sends X-Forwarded-For: 1.1.1.1 (as calculated by real_ip > <https://nginx.org/en/docs/http/ngx_http_realip_module.html>logic - we trust > proxy1, so use the most recent IP - the rightmost) > | > Naviserver: peeraddr -source forwarded = 1.1.1.1 by this “trick” one can skip in your configuration the “untrusted” X-Forwarded-For: 1.2.3.4 However, without the massaging in proxy2, you would end up with X-Forwarded-For: 1.2.3.4,1.1.1.1,2.2.2.2 where the rightmost address is as well incorrect. So, even by the search from the right, one should skip the known proxy servers from the list (here 2.2.2.2). Also, one should aim for a configuration that works also, when one more different proxy is added. > However, we are looking into dropping proxy2. Unfortunately proxy1 does not > have the flexibility to manipulate headers in such a way Does your proxy1 set something like the x-real-ip header? -g
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel