On Wed, Jan 13, 2021, at 22:53, Maxim Dounin wrote: > It's not "dangerous config", it's incorrect usage of > X-Forwarded-For which might be dengerous. In the most simply > configuration with a single server the X-Forwarded-For header > comes directly from the client, without anything added by nginx - > and this has exactly the same implications. >
Unfortunately, at least in rails, it's actually dangerous passing the value as is: https://github.com/rails/rails/blob/3f4fde4d9f804140be8304b524792c052e3d1024/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L21 At least they have added a bunch of check to make it less dangerous even when using $proxy_add_x_forwarded_for (essentially works just like $remote_addr in default config). > While X-Forwarded-For is often misused by applications and > incorrect configurations by blindly trusting addresses in it, > removing the header is going to make destroy the information > available for well-written applications. While you it might be a > good idea to remove the header in your particular use case - if > you are sure enough your applications doesn't use it - this is > certainly not how things should be configured by default. > Yeah, I'm not going to trust X-Forwarded-For sent by client. Maybe it's just me. $remote_addr to me is their geolocation. Anything more "sophisticated" just looked like a potential of failure. And I don't want to have to worry if my $random_app parses the X-Forwarded-For sanely. At most I'd just log it at the edge server. Look at this wonderful function by wordpress (thankfully they do aware it's "unsafe"): https://github.com/WordPress/WordPress/blob/c5d1214607be128c99dd27589a58cc5a1d20d522/wp-admin/includes/class-wp-community-events.php#L262 Semi unrelated but I can't find this list of IPs used by Opera Mini proxies. Do you know where I can find it? _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
