Comments (3)
As of now, strfry doesn't support X-Forwarded-For. Personally I try to avoid this header when possible, because often first-level proxies get configured to append their IP onto this header if it exists. In this case clients can spoof their IP to be whatever they want by providing the header themselves. More info here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns
In general, I think the X-Real-IP header ( https://nginx.org/en/docs/http/ngx_http_realip_module.html ) is less likely to have this problem. The typical configuration is to overwrite this header if provided, meaning that there will never be a list of IPs.
I believe strfry's current implementation will fail with x-forwarded-for headers that have multiple IPs, although this depends on the OS's inet_pton() implementation. We could make it support x-forwarded-for and pull out the final first IP address. If this is important to you let me know and I'll add it to my TODO list.
On the topic of IPv6, yes, strfry should support IPv6 addresses. I'll note that the two IP6 addresses you pasted seem to actually be invalid, though. The first has some non-printable characters in it (?), and the second should probably be ::ffff:123.83.123.203
(missing ::
)
from strfry.
Github replaces some : with emojisc next time i'll use code block
And that ffff is right, it's ipv4 noted in ipv6 format, i suppose haproxy and nginx have it right, since they are widely used.
Btw if someone will inject IP to headers, haproxy will just add right IP after it.
But yes, I can use some header like X-real-ip or even some random string
from strfry.
My issue wasn't with the ffff, but that it was missing a ::
, see this website:
Bad: http://v6decode.com/#address=ffff%3A123.83.123.203
Good: http://v6decode.com/#address=%3A%3Affff%3A123.83.123.203
But probably you're right and it is just github mangling your pasted text.
With X-Forwarded-For I think ideally you would configure haproxy to delete the untrusted IP(s), not just add the right IP to the end of the list. At the final end-point downstream, how will you decide which one of the IPs in the list is the original client IP?
It's not just the header name, X-Real-IP also has a different security profile, because it does not support a list of IPs, meaning that a proxy will always overwrite any (possibly untrusted) upstream values. In your case this means you would only want to have the X-Real-IP set at the HAProxy level (not nginx)
from strfry.
Related Issues (20)
- Dockerfile build fails HOT 1
- MDB_MAP_FULL: Environment mapsize limit reached HOT 5
- Work to change database HOT 2
- NWC events are no longer sent HOT 1
- Crash: page allocation failure HOT 2
- Ubuntu docker build is broken HOT 2
- A question regarding the sync command HOT 2
- Up-to-date docker image in dockerhub HOT 1
- Cron deletes events that are not expired HOT 1
- Importing events from another relay using .jsonl import HOT 4
- Feature: retention period HOT 5
- Feature request: NIP-45 Event Count HOT 6
- Build Error HOT 6
- Favicon for relay HOT 1
- Cryptic error messages returned in OK messages HOT 1
- logging controls not documented/working
- docker-compose not working HOT 4
- REQ limit is too low HOT 1
- strify crashes on start HOT 2
- OSX build error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strfry.