On Wed, 24 Apr 2024 at 18:53, Gustaf Neumann (sslmail) <neum...@wu.ac.at>
wrote:
> This is the case where proxy 1 should not accept the x-forwarded-for
> header from an untrusted upstream server. In case, proxy1 is a nginx
> server, it should use
> proxy_set_header X-Forwarded-For $remote_addr;
> for untrusted upstream requests. Therefore, proxy 2 will receive
> x-forwarded-for with 1.1.1.1, 2.2.2.2 etc. and everything is fine.
Agreed - however without a formal standard for X-Forwarded-For, proxies
don't always provide this level of control. In our case, to preserve the
client IP, appending to any existing X-Forwarded-For is the only option
offered. (I have raised this with the suppliers of "proxy1"). I'm not sure
that this is actually wrong behaviour - but definitely unhelpful - yes!
> However, without the massaging in proxy2, you would end up with
>
> X-Forwarded-For: 1.2.3.4,1.1.1.1,2.2.2.2
>
> where the rightmost address is as well incorrect. So, even by the search
> from the right, one should skip the known proxy servers from the list (here
> 2.2.2.2). Also, one should aim for a configuration that works also, when
> one more different proxy is added.
>
Yes exactly. When the X-Forwarded-For header is just passed downstream
while appending peer addresses, the backend server must have knowledge of
its networking "situation" to make a judgement.
Possibly a list of the IPs of trusted proxies ("from right-to-left, use the
first IP which isn't a trusted proxy")
set reverseproxytrust [list 2.2.2.2/32 3.3.3.3/32]
Or, the backend would need knowledge of HOW MANY trusted proxies are
upstream. ("from right-to-left, use $count-1 on the list")
set reverseproxytrustedcount 2
This feels brittle though and does not take into account multiple routes
into the backend.
As I mentioned, we *can* write a wrapper to [ns_conn peeraddr -source
forwarded] which would return the value we want by inspecting the headers.
However this would still leave the access log logging the wrong IP - can
this be controlled via config?
> Does your proxy1 set something like the x-real-ip header?
>
>
It does not - I've raised the question with the developers.
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
