Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Configure trusted proxies #9548

Merged
merged 2 commits into from
Mar 19, 2024
Merged

fix: Configure trusted proxies #9548

merged 2 commits into from
Mar 19, 2024

Conversation

Dschoordsch
Copy link
Contributor

Our proxy will add the client ip to the x-forwarded-for header correctly and also itself as it does NAT. Configure the number of trusted proxies to read the correct entry from the header to avoid manipulation by clients.

Description

Fixes/Partially Fixes #[issue number]
[Please include a summary of the changes and the related issue]

Demo

[If possible, please include a screenshot or gif/video, it'll make it easier for reviewers to understand the scope of the changes and how the change is supposed to work. If you're introducing something new or changing the existing patterns, please share a Loom and explain what decisions you've made and under what circumstances]

Testing scenarios

[Please list all the testing scenarios a reviewer has to check before approving the PR]

  • Scenario A

    • Step 1
    • Step 2...

  • Scenario B

    • Step 1
    • Step 2....

Final checklist

  • I checked the code review guidelines
  • I have added Metrics Representative as reviewer(s) if my PR invovles metrics/data/analytics related changes
  • I have performed a self-review of my code, the same way I'd do it for any other team member
  • I have tested all cases I listed in the testing scenarios and I haven't found any issues or regressions
  • Whenever I took a non-obvious choice I added a comment explaining why I did it this way
  • I added the label Skip Maintainer Review Indicating the PR only requires reviewer review and can be merged right after it's approved if the PR introduces only minor changes, does not contain any architectural changes or does not introduce any new patterns and I think one review is sufficient'
  • PR title is human readable and could be used in changelog

@Dschoordsch
fix: Configure trusted proxies
08ae2fb 
Our proxy will add the client ip to the x-forwarded-for header correctly
and also itself as it does NAT. Configure the number of trusted proxies
to read the correct entry from the header to avoid manipulation by
clients.
rafaelromcar
rafaelromcar reviewed Mar 19, 2024
View reviewed changes
packages/server/utils/uwsGetIP.ts
@@ -1,7 +1,11 @@
import {HttpRequest, HttpResponse} from 'uWebSockets.js'

const TRUSTED_PROXY_COUNT = Number(process.env.TRUSTED_PROXY_COUNT)
// if TRUSTED_PROXY_COUNT is not configured correctly we fall back to reading the first IP to avoid rate limiting our proxy
const CLIENT_IP_POS = isNaN(TRUSTED_PROXY_COUNT) ? 0 : -1 - TRUSTED_PROXY_COUNT
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why setting to -1 - TRUSTED_PROXY_COUNT instead of just TRUSTED_PROXY_COUNT? I feel that more flexible. In our case we would use a negative value, in other cases it could be used in other way. Some clarification could be added to the .env.example saying that the number can be negative to pick stuff starting from the end.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When configured, you should always pick from the end. Everything at the beginning of the list is in client control and the proxies will add stuff to the end. I don't see a situation where one would want to read from the start.
The number to configure is really how many proxies are in your stack.

Previously we used the whole array as a key, but now we seem to check that it's a valid ip, so we need to pick a entry from the array. We cannot default to the last entry as this would rate limit the traffic coming from the proxy. Maybe we should add a warning that configuring this the wrong way would do that?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, a warning or some clearer instructions would do. That said, LGTM.

@Dschoordsch Dschoordsch merged commit 24df17b into master Mar 19, 2024
5 checks passed
@Dschoordsch Dschoordsch deleted the fix/trustOurProxy branch March 19, 2024 17:02
@parabol-release-bot parabol-release-bot bot mentioned this pull request Mar 19, 2024
Merged
@github-actions github-actions bot mentioned this pull request Mar 19, 2024
Merged
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafaelromcar rafaelromcar rafaelromcar left review comments

@rafaelromcar-parabol rafaelromcar-parabol rafaelromcar-parabol approved these changes

Assignees
No one assigned
Labels
size/xs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Dschoordsch @rafaelromcar @rafaelromcar-parabol