BBlack has submitted this change and it was merged.
Change subject: VCL: explicitly clear XRIP to prevent spoofing to applayer
......................................................................
VCL: explicitly clear XRIP to prevent spoofing to applayer
Change-Id: I04258f5e3d47a57cf00bc5396848fb912ec252f6
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 5 insertions(+), 0 deletions(-)
Approvals:
BBlack: Verified; Looks good to me, approved
diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 8a7c7f6..ead9197 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -385,6 +385,11 @@
unset req.http.X-Carrier;
unset req.http.X-Carrier-Meta;
+ // unset this one just because it's well-known and some default
+ // software configs may look at it, and an external client may spoof
+ // it. We don't set or use this header internally (we use X-Client-IP)
+ unset req.http.X-Real-IP;
+
if (client.ip !~ wikimedia_nets) {
// Ensure we only accept XFP from our own networks. Ideally
// it should only be set by our nginx TLS terminator
--
To view, visit https://gerrit.wikimedia.org/r/258154
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I04258f5e3d47a57cf00bc5396848fb912ec252f6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
