Re: [naviserver-devel] reverseproxymode with multiple X-Forwarded-For values

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Dear David & all,

i’ve committed now a version to the main branch of NaviServer on GitHub.
In addition of my last writeup, i’ve further increased the configurability to make ignoring of non-public servers configurable, no matter whether trusted severs are configured or not. To ease configuration, there is now an own section (instead of use ever-growing variable names).

OLD:
    ns_section ns/parameters {
       ...
       ns_param reverseproxymode true
       ...
    }

NEW:
    ns_section ns/parameters/reverseproxymode {
        ns_param enabled        on
        ns_param trustedservers {192.168.0.0/16 137.208.89.213}
        ns_param skipnonpublic  true
    }

The detailed commit message is 
https://github.com/naviserver-project/naviserver/commit/ab23158ece6fcbec4f740a41140592c910de64f3
"x-forwarded-for" reform (part 1) · naviserver-project/naviserver@ab23158
github.com

below are the test-cases, where the key $X-$Y 
- X: stands for skipnonpublic, and
- Y: stands for trustedservers configured (and trusted servers are "192.168.0.0/16 127.0.0.1”)

documentation updates will follow.

all the best
-g

    # just one XFF entry non-trusted (must be client)
    lappend cases {ff {1.1.1.1} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1} key 0-1 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1} key 1-1 peer 1.1.1.1 forwarded 1.1.1.1}

    # just one entry trusted (i.e. must be proxy server)
    lappend cases {ff {192.168.1.10} key 0-0 peer 192.168.1.10 forwarded 192.168.1.10}
    lappend cases {ff {192.168.1.10} key 0-1 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {192.168.1.10} key 1-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {192.168.1.10} key 1-1 peer 127.0.0.1 forwarded {}}

    # just one entry local
    lappend cases {ff {127.0.0.3} key 0-0 peer 127.0.0.3 forwarded 127.0.0.3}
    lappend cases {ff {127.0.0.3} key 0-1 peer 127.0.0.3 forwarded 127.0.0.3}
    lappend cases {ff {127.0.0.3} key 1-0 peer 127.0.0.1 forwarded {}}    
    lappend cases {ff {127.0.0.3} key 1-1 peer 127.0.0.1 forwarded {}}

    # two entries, both untrusted
    lappend cases {ff {1.1.1.1, 2.2.2.2} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1, 2.2.2.2} key 0-1 peer 2.2.2.2 forwarded 2.2.2.2}
    lappend cases {ff {1.1.1.1, 2.2.2.2} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1, 2.2.2.2} key 1-1 peer 2.2.2.2 forwarded 2.2.2.2}

    # two entries, second trusted
    lappend cases {ff {1.1.1.1, 192.168.1.10} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1, 192.168.1.10} key 0-1 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1, 192.168.1.10} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1}
    lappend cases {ff {1.1.1.1, 192.168.1.10} key 1-1 peer 1.1.1.1 forwarded 1.1.1.1}

    # two entries, both trusted
    lappend cases {ff {192.168.1.11, 192.168.1.10} key 0-0 peer 192.168.1.11 forwarded 192.168.1.11}
    lappend cases {ff {192.168.1.11, 192.168.1.10} key 0-1 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {192.168.1.11, 192.168.1.10} key 1-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {192.168.1.11, 192.168.1.10} key 1-1 peer 127.0.0.1 forwarded {}}

    # two entries, both local
    lappend cases {ff {127.0.0.2, 127.0.0.3} key 0-0 peer 127.0.0.2 forwarded 127.0.0.2}
    lappend cases {ff {127.0.0.2, 127.0.0.3} key 0-1 peer 127.0.0.3 forwarded 127.0.0.3}
    lappend cases {ff {127.0.0.2, 127.0.0.3} key 1-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {127.0.0.2, 127.0.0.3} key 1-1 peer 127.0.0.1 forwarded {}}

    # empty entry
    lappend cases {ff {} key 0-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {} key 0-1 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {} key 1-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {} key 1-1 peer 127.0.0.1 forwarded {}}

    # wrong entry
    lappend cases {ff {x} key 0-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {x} key 0-1 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {x} key 1-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {x} key 1-1 peer 127.0.0.1 forwarded {}}

    # wrong entry on the right
    lappend cases {ff {137.208.116.31, x} key 0-0 peer 137.208.116.31 forwarded 137.208.116.31}
    lappend cases {ff {137.208.116.31, x} key 0-1 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {137.208.116.31, x} key 1-0 peer 137.208.116.31 forwarded 137.208.116.31}
    lappend cases {ff {137.208.116.31, x} key 1-1 peer 127.0.0.1 forwarded {}}

    # wrong entry on the left
    lappend cases {ff {y, 137.208.116.31} key 0-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {y, 137.208.116.31} key 0-1 peer 137.208.116.31 forwarded 137.208.116.31}
    lappend cases {ff {y, 137.208.116.31} key 1-0 peer 127.0.0.1 forwarded {}}
    lappend cases {ff {y, 137.208.116.31} key 1-1 peer 137.208.116.31 forwarded 137.208.116.31}

> On 29.04.2024, at 10:47, David Osborne <da...@qc...> wrote:
> 
> Hi Gustaf,
> 
> From your description it sounds like we could certainly work round our issue using the ReverseProxyTrustedServers config.
> Thank you very much for your time on this.
> 
> On Fri, 26 Apr 2024 at 14:09, Gustaf Neumann (sslmail) <ne...@wu... <mailto:ne...@wu...>> wrote:
>> Hi David,
>> 
>> I have now implemented the following (but not yet committed,
>> since i was side-tracked by some tcl9 issues and i am running out of
>> time.
>> 
>> From my understanding, this should address your problems now, 
>> and when “proxy 2” is removed.
>> 
>> An easy extension of this would be to let the site-admin configure
>> an alternative header field (like x-real-ip), which could bypass
>> the search through the list of candidate addresses.
>> 
>> all the best
>> -gn
>> 
> 
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

Re: [naviserver-devel] reverseproxymode with multiple X-Forwarded-For values

NaviServer, a high performance web server written in C and Tcl

Re: [naviserver-devel] reverseproxymode with multiple X-Forwarded-For values