View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006409 | unreal | ircd | public | 2024-05-07 18:10 | 2024-05-07 18:12 |
Reporter | syzop | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 6.1.5 | ||||
Summary | 0006409: proxy block: support multiple proxies / proxy count | ||||
Description | For something like: proxy { type x-forwarded; match { ip 127.0.0.1; } } In UnrealIRCd we normally receive a line like this, and it works well: X-Forwarded-For: 1.1.1.1 So we set the IP address of the client to 1.1.1.1. This works great. However, some proxies - or most likely: a chain of proxies - may send something like: X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3 Here, we can't blindly use the first IP (1.1.1.1), even though that is the correct one. We can't do that because it could also be a client spoofing by sending something like "X-Forwarded-For: 1.1.1.1, 2.2.2.2" and then the proxy adding theirs resulting in "X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3". We can't differentiate between a double-chained proxy or such an attack. Right now UnrealIRCd therefore takes the last address (3.3.3.3) which is likely incorrect. Anyway, long story short, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address " When choosing the first trustworthy X-Forwarded-For client IP address, additional configuration is required. There are two common methods: * Trusted proxy count: The count of reverse proxies between the internet and the server is configured. The X-Forwarded-For IP list is searched from the rightmost by that count minus one. (For example, if there is only one reverse proxy, that proxy will add the client's IP address, so the rightmost address should be used. If there are three reverse proxies, the last two IP addresses will be internal.) * Trusted proxy list: The IPs or IP ranges of the trusted reverse proxies are configured. The X-Forwarded-For IP list is searched from the rightmost, skipping all addresses that are on the trusted proxy list. The first non-matching address is the target address." At the moment we offer neither option. We should offer something like that count thing or proxy list, so people can configure it to "stop earlier" to make it use the correct end-user IP address. | ||||
Tags | No tags attached. | ||||
3rd party modules | |||||