Skip to content

Only trust direct proxy in the trusted downstream#2579

Open
lisongmin wants to merge 1 commit intotornadoweb:masterfrom
lisongmin:only-trust-direct-proxy-in-trusted-downstream
Open

Only trust direct proxy in the trusted downstream#2579
lisongmin wants to merge 1 commit intotornadoweb:masterfrom
lisongmin:only-trust-direct-proxy-in-trusted-downstream

Conversation

@lisongmin
Copy link

@lisongmin lisongmin commented Feb 1, 2019

Only trust direct proxy in the trusted downstream to avoid get xheader info from an untrusted proxy.

User must add direct proxy ip address to trusted downstream.

user1 ----------> real-proxy ----------> server
untrusted-proxy --x--^                     ^
                `-------------x------------|

This may be a break change, but more security.

@lisongmin
Copy link
Author

lisongmin commented Feb 1, 2019

It seams unittest failure is not relative to this MR.

@ploxiln
Copy link
Contributor

ploxiln commented Feb 1, 2019

looks correct to me
(extra blank lines may not match the surrounding code style though)
(only test failure was pypy timeout, may pass if you amend and force-push)

@lisongmin
Only trust direct proxy in the trusted downstream to avoid
7110bca 
get xheader info from an untrusted proxy.

User must add direct proxy ip address to trusted downstream.

```
user1 ----------> real-proxy ----------> server
untrusted-proxy --x--^                     ^
                `-------------x------------|
```
@lisongmin
Copy link
Author

lisongmin commented Feb 2, 2019

code style is fixed now.

@bdarnell
Copy link
Member

bdarnell commented Feb 2, 2019

This breaks backwards compatibility in a couple of ways.

First, it's valid to specify xheaders=True without specifying any trusted downstream addresses. This is partially for historical reasons and partially because if you're using a proxy you're often running behind a firewall where no untrusted connections are possible.

Second, I'm not sure it's compatible with the existing uses of trusted_downstream. This option is used when there are multiple proxies in the chain:

user  ->  proxy 1         -> proxy 2       -> server
          adds user ip       adds proxy1      sees proxy2 as remote_ip
          to XFF             to XFF           XFF contains proxy1 and user ip

In this case trusted_downstream would contain proxy 1 but not necessarily proxy 2.

What we really need is a more sophisticated way of configuring the xheaders system: which remote_ips can send xheaders, which xheaders are in use (the current behavior of trying both X-Real-IP and X-Forwarded-For is probably exploitable in some environments), which addresses should be filtered out of XFF, etc. (Maybe this would also be the way of configuring the haproxy protocol for #2492). The trusted_downstream option was a step in this direction but it was incompletely thought-out.

@ploxiln
Copy link
Contributor

ploxiln commented Feb 2, 2019

Ah, right, users who set xheaders but not trusted_downstream expect it to use the last/closest address from the headers.

(And looks like I forgot to have my nginx configs also remove X-Real-Ip headers ...)

@lisongmin
Copy link
Author

lisongmin commented Feb 4, 2019

Yes, I agree with you. this patch attempt resolve ** which remote ips can send xheader** with a non proper way. Feel free to close this MR.

By the way, are there any plan to design a new xheader system?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

httpserver

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lisongmin @ploxiln @bdarnell