Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow using 'x-forwarded-for' as source ip addr #15

Closed
wants to merge 2 commits into from
Closed

Allow using 'x-forwarded-for' as source ip addr #15

wants to merge 2 commits into from

Conversation

XiaoliChan
Copy link

@XiaoliChan XiaoliChan commented Jun 21, 2023
edited
Loading

Now it can use 'x-forwarded-for' as the real source IP address, for some situations like the http server behind the Cloudflare

Enable it with forwarded_as_sources_ip

Test with Cloudflare CDN service:

  • Without forwarded_as_sources_ip, the module didn't detect my real source IP.
    image

  • With forwarded_as_sources_ip, the module now can detect my real source IP.
    image

    image

@XiaoliChan XiaoliChan changed the title Allow using 'x-forwarded-ip' as source ip addr Allow using 'x-forwarded-for' as source ip addr Jun 25, 2023
@francislavoie
Copy link

francislavoie commented May 22, 2024
edited
Loading

This is insecure and should not be merged as-is. The X-Forwarded-For header is spoofable. (Someone could set the header to an IP from an allowed country then send that directly to Caddy)

Caddy provides a secure way of reading the data from that header via https://caddyserver.com/docs/caddyfile/options#trusted-proxies. The plugin could read from the client_ip stored in the request context, and match against that.

@ale-rinaldi
Copy link
Member

This is insecure and should not be merged as-is. The X-Forwarded-For header is spoofable. (Someone could set the header to an IP from an allowed country then send that directly to Caddy)

Caddy provides a secure way of reading the data from that header via https://caddyserver.com/docs/caddyfile/options#trusted-proxies. The plugin could read from the client_ip stored in the request context, and match against that.

Yeah, that's correct. It's what I wanted to answer, then my wife had a baby and I totally forgot about this :P
I'm gonna make the change to rely on Caddy's first-class support for this. PRs welcome meanwhile :)

@XiaoliChan
Copy link
Author

Yes, caddy now is support client_ip, before that, I used it long time ago.

@ale-rinaldi
Copy link
Member

ale-rinaldi commented May 23, 2024
edited
Loading

Yes, caddy now is support client_ip, before that, I used it long time ago.

Yeah, I see and I'm happy your fork solved the situation for you.
Actually, first-class support for client IP was introduced with caddyserver/caddy#5104 that dates a little before your pull request. That's why I never merged it: I planned to rely on Caddy official support, but I never managed to implement it and I forgot to update about this on this PR. My fault, sorry.

If you or @francislavoie or anyone else is willing to do a PR for this, that would be really appreciated.

@ZeroAnarchy
Copy link
Contributor

@ale-rinaldi

If you or @francislavoie or anyone else is willing to do a PR for this, that would be really appreciated.

Ready! PR #26 and #27

@ale-rinaldi
Copy link
Member

Good job @ZeroAnarchy ! They're merged

@ale-rinaldi ale-rinaldi closed this Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@XiaoliChan @francislavoie @ale-rinaldi @ZeroAnarchy