Comparison

plugins/mod_http.lua @ 13127:f45a29b32f7a

mod_http: Make RFC 7239 Forwarded opt-in for now to be safe Supporting both methods at the same time may open to spoofing attacks, whereby a client sends a Forwarded header that is not stripped by a reverse proxy, leading Prosody to use that instead of the X-Forwarded-* headers actually sent by the proxy. By only supporting one at a time, it can be configured to match what the proxy uses. Disabled by default since implementations are sparse and X-Forwarded-* are everywhere.
author Kim Alvefur <zash@zash.se>
date Sat, 03 Jun 2023 21:53:20 +0200
parent 13126:d043834f15d2
child 13140:7a6874f9fd40
comparison
equal deleted inserted replaced
13126:d043834f15d2 13127:f45a29b32f7a
331 secure = secure and proxy.proto == "https"; 331 secure = secure and proxy.proto == "https";
332 else 332 else
333 break 333 break
334 end 334 end
335 end 335 end
336 336 end
337 -- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible. 337
338 return ip, secure; 338 return ip, secure;
339 end 339 end
340
341 -- TODO switch to RFC 7239 by default once support is more common
342 if module:get_option_boolean("http_legacy_x_forwarded", true) then
343 function get_forwarded_connection_info(request) --> ip:string, secure:boolean
344 local ip = request.ip;
345 local secure = request.secure; -- set by net.http.server
340 346
341 local forwarded_for = request.headers.x_forwarded_for; 347 local forwarded_for = request.headers.x_forwarded_for;
342 if forwarded_for then 348 if forwarded_for then
343 -- luacheck: ignore 631 349 -- luacheck: ignore 631
344 -- This logic looks weird at first, but it makes sense. 350 -- This logic looks weird at first, but it makes sense.
358 364
359 secure = secure or request.headers.x_forwarded_proto == "https"; 365 secure = secure or request.headers.x_forwarded_proto == "https";
360 366
361 return ip, secure; 367 return ip, secure;
362 end 368 end
369 end
363 370
364 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) 371 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
365 local request = event_data.request; 372 local request = event_data.request;
366 if request and is_trusted_proxy(request.ip) then 373 if request and is_trusted_proxy(request.ip) then
367 -- Not included in eg http-error events 374 -- Not included in eg http-error events