View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006409unrealircdpublic2024-05-07 18:102024-05-07 18:12
Reportersyzop Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version6.1.5 
Summary0006409: proxy block: support multiple proxies / proxy count
DescriptionFor something like: proxy { type x-forwarded; match { ip 127.0.0.1; } }
In UnrealIRCd we normally receive a line like this, and it works well:
X-Forwarded-For: 1.1.1.1
So we set the IP address of the client to 1.1.1.1. This works great.

However, some proxies - or most likely: a chain of proxies - may send something like:
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3
Here, we can't blindly use the first IP (1.1.1.1), even though that is the correct one. We can't do that because it could also be a client spoofing by sending something like "X-Forwarded-For: 1.1.1.1, 2.2.2.2" and then the proxy adding theirs resulting in "X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3". We can't differentiate between a double-chained proxy or such an attack. Right now UnrealIRCd therefore takes the last address (3.3.3.3) which is likely incorrect.

Anyway, long story short, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address

" When choosing the first trustworthy X-Forwarded-For client IP address, additional configuration is required. There are two common methods:

* Trusted proxy count: The count of reverse proxies between the internet and the server is configured. The X-Forwarded-For IP list is searched from the rightmost by that count minus one. (For example, if there is only one reverse proxy, that proxy will add the client's IP address, so the rightmost address should be used. If there are three reverse proxies, the last two IP addresses will be internal.)
* Trusted proxy list: The IPs or IP ranges of the trusted reverse proxies are configured. The X-Forwarded-For IP list is searched from the rightmost, skipping all addresses that are on the trusted proxy list. The first non-matching address is the target address."

At the moment we offer neither option.

We should offer something like that count thing or proxy list, so people can configure it to "stop earlier" to make it use the correct end-user IP address.
TagsNo tags attached.
3rd party modules

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-05-07 18:10 syzop New Issue
2024-05-07 18:11 syzop Description Updated
2024-05-07 18:12 syzop Description Updated
2024-05-07 18:12 syzop Description Updated
2024-05-07 18:12 syzop Description Updated