Software /
code /
prosody
Comparison
plugins/mod_http.lua @ 13127:f45a29b32f7a
mod_http: Make RFC 7239 Forwarded opt-in for now to be safe
Supporting both methods at the same time may open to spoofing attacks,
whereby a client sends a Forwarded header that is not stripped by a
reverse proxy, leading Prosody to use that instead of the X-Forwarded-*
headers actually sent by the proxy.
By only supporting one at a time, it can be configured to match what the
proxy uses.
Disabled by default since implementations are sparse and X-Forwarded-*
are everywhere.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 03 Jun 2023 21:53:20 +0200 |
parent | 13126:d043834f15d2 |
child | 13140:7a6874f9fd40 |
comparison
equal
deleted
inserted
replaced
13126:d043834f15d2 | 13127:f45a29b32f7a |
---|---|
331 secure = secure and proxy.proto == "https"; | 331 secure = secure and proxy.proto == "https"; |
332 else | 332 else |
333 break | 333 break |
334 end | 334 end |
335 end | 335 end |
336 | 336 end |
337 -- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible. | 337 |
338 return ip, secure; | 338 return ip, secure; |
339 end | 339 end |
340 | |
341 -- TODO switch to RFC 7239 by default once support is more common | |
342 if module:get_option_boolean("http_legacy_x_forwarded", true) then | |
343 function get_forwarded_connection_info(request) --> ip:string, secure:boolean | |
344 local ip = request.ip; | |
345 local secure = request.secure; -- set by net.http.server | |
340 | 346 |
341 local forwarded_for = request.headers.x_forwarded_for; | 347 local forwarded_for = request.headers.x_forwarded_for; |
342 if forwarded_for then | 348 if forwarded_for then |
343 -- luacheck: ignore 631 | 349 -- luacheck: ignore 631 |
344 -- This logic looks weird at first, but it makes sense. | 350 -- This logic looks weird at first, but it makes sense. |
358 | 364 |
359 secure = secure or request.headers.x_forwarded_proto == "https"; | 365 secure = secure or request.headers.x_forwarded_proto == "https"; |
360 | 366 |
361 return ip, secure; | 367 return ip, secure; |
362 end | 368 end |
369 end | |
363 | 370 |
364 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) | 371 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) |
365 local request = event_data.request; | 372 local request = event_data.request; |
366 if request and is_trusted_proxy(request.ip) then | 373 if request and is_trusted_proxy(request.ip) then |
367 -- Not included in eg http-error events | 374 -- Not included in eg http-error events |