Dear David & all,
i’ve committed now a version to the main branch of NaviServer on GitHub.
In addition of my last writeup, i’ve further increased the configurability to
make ignoring of non-public servers configurable, no matter whether trusted
severs are configured or not. To ease configuration, there is now an own
section (instead of use ever-growing variable names).
OLD:
ns_section ns/parameters {
...
ns_param reverseproxymode true
...
}
NEW:
ns_section ns/parameters/reverseproxymode {
ns_param enabled on
ns_param trustedservers {192.168.0.0/16 137.208.89.213}
ns_param skipnonpublic true
}
The detailed commit message is
https://github.com/naviserver-project/naviserver/commit/ab23158ece6fcbec4f740a41140592c910de64f3
"x-forwarded-for" reform (part 1) · naviserver-project/naviserver@ab23158
github.com
below are the test-cases, where the key $X-$Y
- X: stands for skipnonpublic, and
- Y: stands for trustedservers configured (and trusted servers are
"192.168.0.0/16 127.0.0.1”)
documentation updates will follow.
all the best
-g
# just one XFF entry non-trusted (must be client)
lappend cases {ff {1.1.1.1} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1}
lappend cases {ff {1.1.1.1} key 0-1 peer 1.1.1.1 forwarded 1.1.1.1}
lappend cases {ff {1.1.1.1} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1}
lappend cases {ff {1.1.1.1} key 1-1 peer 1.1.1.1 forwarded 1.1.1.1}
# just one entry trusted (i.e. must be proxy server)
lappend cases {ff {192.168.1.10} key 0-0 peer 192.168.1.10 forwarded
192.168.1.10}
lappend cases {ff {192.168.1.10} key 0-1 peer 127.0.0.1 forwarded {}}
lappend cases {ff {192.168.1.10} key 1-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {192.168.1.10} key 1-1 peer 127.0.0.1 forwarded {}}
# just one entry local
lappend cases {ff {127.0.0.3} key 0-0 peer 127.0.0.3 forwarded 127.0.0.3}
lappend cases {ff {127.0.0.3} key 0-1 peer 127.0.0.3 forwarded 127.0.0.3}
lappend cases {ff {127.0.0.3} key 1-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {127.0.0.3} key 1-1 peer 127.0.0.1 forwarded {}}
# two entries, both untrusted
lappend cases {ff {1.1.1.1, 2.2.2.2} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1}
lappend cases {ff {1.1.1.1, 2.2.2.2} key 0-1 peer 2.2.2.2 forwarded 2.2.2.2}
lappend cases {ff {1.1.1.1, 2.2.2.2} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1}
lappend cases {ff {1.1.1.1, 2.2.2.2} key 1-1 peer 2.2.2.2 forwarded 2.2.2.2}
# two entries, second trusted
lappend cases {ff {1.1.1.1, 192.168.1.10} key 0-0 peer 1.1.1.1 forwarded
1.1.1.1}
lappend cases {ff {1.1.1.1, 192.168.1.10} key 0-1 peer 1.1.1.1 forwarded
1.1.1.1}
lappend cases {ff {1.1.1.1, 192.168.1.10} key 1-0 peer 1.1.1.1 forwarded
1.1.1.1}
lappend cases {ff {1.1.1.1, 192.168.1.10} key 1-1 peer 1.1.1.1 forwarded
1.1.1.1}
# two entries, both trusted
lappend cases {ff {192.168.1.11, 192.168.1.10} key 0-0 peer 192.168.1.11
forwarded 192.168.1.11}
lappend cases {ff {192.168.1.11, 192.168.1.10} key 0-1 peer 127.0.0.1
forwarded {}}
lappend cases {ff {192.168.1.11, 192.168.1.10} key 1-0 peer 127.0.0.1
forwarded {}}
lappend cases {ff {192.168.1.11, 192.168.1.10} key 1-1 peer 127.0.0.1
forwarded {}}
# two entries, both local
lappend cases {ff {127.0.0.2, 127.0.0.3} key 0-0 peer 127.0.0.2 forwarded
127.0.0.2}
lappend cases {ff {127.0.0.2, 127.0.0.3} key 0-1 peer 127.0.0.3 forwarded
127.0.0.3}
lappend cases {ff {127.0.0.2, 127.0.0.3} key 1-0 peer 127.0.0.1 forwarded
{}}
lappend cases {ff {127.0.0.2, 127.0.0.3} key 1-1 peer 127.0.0.1 forwarded
{}}
# empty entry
lappend cases {ff {} key 0-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {} key 0-1 peer 127.0.0.1 forwarded {}}
lappend cases {ff {} key 1-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {} key 1-1 peer 127.0.0.1 forwarded {}}
# wrong entry
lappend cases {ff {x} key 0-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {x} key 0-1 peer 127.0.0.1 forwarded {}}
lappend cases {ff {x} key 1-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {x} key 1-1 peer 127.0.0.1 forwarded {}}
# wrong entry on the right
lappend cases {ff {137.208.116.31, x} key 0-0 peer 137.208.116.31 forwarded
137.208.116.31}
lappend cases {ff {137.208.116.31, x} key 0-1 peer 127.0.0.1 forwarded {}}
lappend cases {ff {137.208.116.31, x} key 1-0 peer 137.208.116.31 forwarded
137.208.116.31}
lappend cases {ff {137.208.116.31, x} key 1-1 peer 127.0.0.1 forwarded {}}
# wrong entry on the left
lappend cases {ff {y, 137.208.116.31} key 0-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {y, 137.208.116.31} key 0-1 peer 137.208.116.31 forwarded
137.208.116.31}
lappend cases {ff {y, 137.208.116.31} key 1-0 peer 127.0.0.1 forwarded {}}
lappend cases {ff {y, 137.208.116.31} key 1-1 peer 137.208.116.31 forwarded
137.208.116.31}
> On 29.04.2024, at 10:47, David Osborne <[email protected]> wrote:
>
> Hi Gustaf,
>
> From your description it sounds like we could certainly work round our issue
> using the ReverseProxyTrustedServers config.
> Thank you very much for your time on this.
>
> On Fri, 26 Apr 2024 at 14:09, Gustaf Neumann (sslmail) <[email protected]
> <mailto:[email protected]>> wrote:
>> Hi David,
>>
>> I have now implemented the following (but not yet committed,
>> since i was side-tracked by some tcl9 issues and i am running out of
>> time.
>>
>> From my understanding, this should address your problems now,
>> and when “proxy 2” is removed.
>>
>> An easy extension of this would be to let the site-admin configure
>> an alternative header field (like x-real-ip), which could bypass
>> the search through the list of candidate addresses.
>>
>> all the best
>> -gn
>>
>
> _______________________________________________
> naviserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
