Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X-Forwarded-For #4380

Merged
merged 9 commits into from
Apr 17, 2018
Merged

X-Forwarded-For #4380

merged 9 commits into from
Apr 17, 2018

Conversation

jefferai
Copy link
Member

Docs are still todo.

This uses the approach of "specify how many hops back we should be looking" rather than some metric like "is a public IP" in order to validate. Behavior on unauthorized address or missing header can be set to reject or allow (without actually trusting the header).

@jefferai jefferai added this to the 0.10.1 milestone Apr 17, 2018
@jefferai jefferai requested review from calvn and vishalnayak April 17, 2018 17:46
@@ -761,6 +761,10 @@ func parseListeners(result *Config, list *ast.ObjectList) error {
"address",
"cluster_address",
"endpoint",
"forwarded_for_authorized_addrs",
"forwarded_for_hop_skips",
"forwarded_for_reject_non_authorized",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on non_authorized vs not_authorized? not_authorized can go a little better with not_present.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, changed.

for _, addr := range stringAddrs {
sa, err := sockaddr.NewSockAddr(addr)
if err != nil {
return nil, errwrap.Wrapf("error parsing address: {{err}}", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to mention the problematic addr in the error statement?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

http/handler.go Outdated
if len(headers) == 1 {
headers = strings.Split(headers[0], ",")
}
for i, v := range headers {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is passing multiple X-Forward-For headers that are each comma separated valid [0]? If so, this is only iterating through the first set and not parsing the values correctly.

[0]: -H 'X-Forwarded-For: 203.0.113.100, 203.0.113.101' -H 'X-Forwarded-For: 203.0.113.200, 203.0.113.201'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not an actual standard, so...no idea? I guess I can handle that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

calvn
calvn previously approved these changes Apr 17, 2018
@jefferai jefferai merged commit 80b1770 into master Apr 17, 2018
@vishalnayak vishalnayak deleted the x-forwarded-for branch April 18, 2018 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants