Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

taken account of X-Forwarded-For header #88

Closed
komuw opened this issue Jul 9, 2022 · 5 comments · Fixed by #187
Closed

taken account of X-Forwarded-For header #88

komuw opened this issue Jul 9, 2022 · 5 comments · Fixed by #187

Comments

@komuw
Copy link
Owner

komuw commented Jul 9, 2022

everywhere we are using request.RemoteAddr[1]; we should first check if X-Forwarded-For[2] exists and use that instead. Then fall back to request.RemoteAddr.
See[3] for how golang/pkgsite does it. Also how they do ratelimiting is interesting[4]

  1. https://github.com/komuw/ong/search?l=Go&q=RemoteAddr&type=
  2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
  3. https://github.com/golang/pkgsite/blob/8b9886cdffa22a4f43206ac784fa1646fd0b6da6/internal/middleware/quota.go#L89-L94
  4. https://github.com/golang/pkgsite/blob/8b9886cdffa22a4f43206ac784fa1646fd0b6da6/internal/middleware/quota.go#L50-L70
@komuw
Copy link
Owner Author

komuw commented Jul 10, 2022

There's also the Forwarded[1] header which is standardized and is supposed to be a replacement of X-Forwarded-For .
The good thing about it is that, your trusted front-end proxy could include a secret token[2] to identify itself.
Forwarded: for=12.34.56.78, for=23.45.67.89;secret=egah2CGj55fSJFs, for=10.1.2.3

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
  2. https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

@komuw
Copy link
Owner Author

komuw commented Jul 10, 2022

We are not going to take X-Forwarded-For or Forwarded into account for now. This is because those headers can easily be spoofed among other problems. See[1] which deals with this comprehensively.

  1. https://adam-p.ca/blog/2022/03/x-forwarded-for/

@komuw komuw closed this as completed Sep 27, 2022
@komuw komuw reopened this Dec 7, 2022
@komuw
Copy link
Owner Author

komuw commented Dec 7, 2022

@komuw
Copy link
Owner Author

komuw commented Dec 7, 2022

komuw added a commit that referenced this issue Dec 11, 2022
What:
- Create middleware that adds the real client IP address
  Note that this is on a best effort basis. Finding the true client IP address is a precarious process[1]

Why:
- Fixes: #88

Ref:
1. https://adam-p.ca/blog/2022/03/x-forwarded-for/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant