mod_http: Make RFC 7239 Forwarded opt-in for now to be safe Supporting both methods at the same time may open to spoofing attacks, whereby a client sends a Forwarded header that is not stripped by a reverse proxy, leading Prosody to use that instead of the X-Forwarded-* headers actually sent by the proxy. By only supporting one at a time, it can be configured to match what the proxy uses. Disabled by default since implementations are sparse and X-Forwarded-* are everywhere.

author: Kim Alvefur <zash@zash.se>
date: Sat, 03 Jun 2023 21:53:20 +0200
parent: 13126:d043834f15d2
child: 13140:7a6874f9fd40
--- a/plugins/mod_http.lua	Sat Jun 03 17:10:04 2023 +0200
+++ b/plugins/mod_http.lua	Sat Jun 03 21:53:20 2023 +0200
@@ -333,10 +333,16 @@
 				break
 			end
 		end
+	end
 
-		-- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible.
-		return ip, secure;
-	end
+	return ip, secure;
+end
+
+-- TODO switch to RFC 7239 by default once support is more common
+if module:get_option_boolean("http_legacy_x_forwarded", true) then
+function get_forwarded_connection_info(request) --> ip:string, secure:boolean
+	local ip = request.ip;
+	local secure = request.secure; -- set by net.http.server
 
 	local forwarded_for = request.headers.x_forwarded_for;
 	if forwarded_for then
@@ -360,6 +366,7 @@
 
 	return ip, secure;
 end
+end
 
 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
 	local request = event_data.request;