Re: [naviserver-devel] reverseproxymode with multiple X-Forwarded-For values

Wed, 24 Apr 2024 10:53:12 -0700 


> On 23.04.2024, at 18:07, David Osborne <da...@qcode.co.uk> wrote:
> 
> But the Client can initiate requests which have X-Forwarded-For Headers 
> already present, then we run into difficulties
> 
> Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4
> |
> Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1
> Proxy 2: sends X-Forwarded-For: 1.2.3.4,1.1.1.1,2.2.2.2
> Naviserver: peeraddr -source forwarded = 1.2.3.4

This is the case where proxy 1 should not accept the x-forwarded-for header 
from an untrusted upstream server. In case, proxy1 is a nginx server, it should 
use  
      proxy_set_header X-Forwarded-For $remote_addr;
for untrusted upstream requests. Therefore, proxy 2 will receive 
x-forwarded-for with 1.1.1.1, 2.2.2.2 etc. and everything is fine.

> 
> We have got around this by using proxy2 to clobber the X-Forwared-For header 
> using the Nginx real_ip module which has the logic that it will use the 
> rightmost IP if from a trusted peer.
> 
> Client: IP 1.1.1.1 : sends X-Forwarded-For: 1.2.3.4
> |
> Proxy 1: sends X-Forwarded-For: 1.2.3.4,1.1.1.1
> Proxy 2: sends X-Forwarded-For: 1.1.1.1 (as calculated by real_ip  
> <https://nginx.org/en/docs/http/ngx_http_realip_module.html>logic - we trust 
> proxy1, so use the most recent IP - the rightmost)
> |
> Naviserver: peeraddr -source forwarded = 1.1.1.1

by this “trick” one can skip in your configuration the “untrusted”  
X-Forwarded-For: 1.2.3.4

However, without the massaging in proxy2, you would end up with 

    X-Forwarded-For: 1.2.3.4,1.1.1.1,2.2.2.2

where the rightmost address is as well incorrect. So, even by the search from 
the right, one should skip the known proxy servers from the list (here 
2.2.2.2).  Also, one should aim for a configuration that works also, when one 
more different proxy is added. 

> However, we are looking into dropping proxy2. Unfortunately proxy1 does not 
> have the flexibility to manipulate headers in such a way

Does your proxy1 set something like the x-real-ip header?

-g


_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel






















					Reply via email to