From: Gustaf N. (sslmail) <ne...@wu...> - 2024-04-30 16:16:57
|
Dear David & all, i’ve committed now a version to the main branch of NaviServer on GitHub. In addition of my last writeup, i’ve further increased the configurability to make ignoring of non-public servers configurable, no matter whether trusted severs are configured or not. To ease configuration, there is now an own section (instead of use ever-growing variable names). OLD: ns_section ns/parameters { ... ns_param reverseproxymode true ... } NEW: ns_section ns/parameters/reverseproxymode { ns_param enabled on ns_param trustedservers {192.168.0.0/16 137.208.89.213} ns_param skipnonpublic true } The detailed commit message is https://github.com/naviserver-project/naviserver/commit/ab23158ece6fcbec4f740a41140592c910de64f3 "x-forwarded-for" reform (part 1) · naviserver-project/naviserver@ab23158 github.com below are the test-cases, where the key $X-$Y - X: stands for skipnonpublic, and - Y: stands for trustedservers configured (and trusted servers are "192.168.0.0/16 127.0.0.1”) documentation updates will follow. all the best -g # just one XFF entry non-trusted (must be client) lappend cases {ff {1.1.1.1} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1} key 0-1 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1} key 1-1 peer 1.1.1.1 forwarded 1.1.1.1} # just one entry trusted (i.e. must be proxy server) lappend cases {ff {192.168.1.10} key 0-0 peer 192.168.1.10 forwarded 192.168.1.10} lappend cases {ff {192.168.1.10} key 0-1 peer 127.0.0.1 forwarded {}} lappend cases {ff {192.168.1.10} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {192.168.1.10} key 1-1 peer 127.0.0.1 forwarded {}} # just one entry local lappend cases {ff {127.0.0.3} key 0-0 peer 127.0.0.3 forwarded 127.0.0.3} lappend cases {ff {127.0.0.3} key 0-1 peer 127.0.0.3 forwarded 127.0.0.3} lappend cases {ff {127.0.0.3} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {127.0.0.3} key 1-1 peer 127.0.0.1 forwarded {}} # two entries, both untrusted lappend cases {ff {1.1.1.1, 2.2.2.2} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1, 2.2.2.2} key 0-1 peer 2.2.2.2 forwarded 2.2.2.2} lappend cases {ff {1.1.1.1, 2.2.2.2} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1, 2.2.2.2} key 1-1 peer 2.2.2.2 forwarded 2.2.2.2} # two entries, second trusted lappend cases {ff {1.1.1.1, 192.168.1.10} key 0-0 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1, 192.168.1.10} key 0-1 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1, 192.168.1.10} key 1-0 peer 1.1.1.1 forwarded 1.1.1.1} lappend cases {ff {1.1.1.1, 192.168.1.10} key 1-1 peer 1.1.1.1 forwarded 1.1.1.1} # two entries, both trusted lappend cases {ff {192.168.1.11, 192.168.1.10} key 0-0 peer 192.168.1.11 forwarded 192.168.1.11} lappend cases {ff {192.168.1.11, 192.168.1.10} key 0-1 peer 127.0.0.1 forwarded {}} lappend cases {ff {192.168.1.11, 192.168.1.10} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {192.168.1.11, 192.168.1.10} key 1-1 peer 127.0.0.1 forwarded {}} # two entries, both local lappend cases {ff {127.0.0.2, 127.0.0.3} key 0-0 peer 127.0.0.2 forwarded 127.0.0.2} lappend cases {ff {127.0.0.2, 127.0.0.3} key 0-1 peer 127.0.0.3 forwarded 127.0.0.3} lappend cases {ff {127.0.0.2, 127.0.0.3} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {127.0.0.2, 127.0.0.3} key 1-1 peer 127.0.0.1 forwarded {}} # empty entry lappend cases {ff {} key 0-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {} key 0-1 peer 127.0.0.1 forwarded {}} lappend cases {ff {} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {} key 1-1 peer 127.0.0.1 forwarded {}} # wrong entry lappend cases {ff {x} key 0-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {x} key 0-1 peer 127.0.0.1 forwarded {}} lappend cases {ff {x} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {x} key 1-1 peer 127.0.0.1 forwarded {}} # wrong entry on the right lappend cases {ff {137.208.116.31, x} key 0-0 peer 137.208.116.31 forwarded 137.208.116.31} lappend cases {ff {137.208.116.31, x} key 0-1 peer 127.0.0.1 forwarded {}} lappend cases {ff {137.208.116.31, x} key 1-0 peer 137.208.116.31 forwarded 137.208.116.31} lappend cases {ff {137.208.116.31, x} key 1-1 peer 127.0.0.1 forwarded {}} # wrong entry on the left lappend cases {ff {y, 137.208.116.31} key 0-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {y, 137.208.116.31} key 0-1 peer 137.208.116.31 forwarded 137.208.116.31} lappend cases {ff {y, 137.208.116.31} key 1-0 peer 127.0.0.1 forwarded {}} lappend cases {ff {y, 137.208.116.31} key 1-1 peer 137.208.116.31 forwarded 137.208.116.31} > On 29.04.2024, at 10:47, David Osborne <da...@qc...> wrote: > > Hi Gustaf, > > From your description it sounds like we could certainly work round our issue using the ReverseProxyTrustedServers config. > Thank you very much for your time on this. > > On Fri, 26 Apr 2024 at 14:09, Gustaf Neumann (sslmail) <ne...@wu... <mailto:ne...@wu...>> wrote: >> Hi David, >> >> I have now implemented the following (but not yet committed, >> since i was side-tracked by some tcl9 issues and i am running out of >> time. >> >> From my understanding, this should address your problems now, >> and when “proxy 2” is removed. >> >> An easy extension of this would be to let the site-admin configure >> an alternative header field (like x-real-ip), which could bypass >> the search through the list of candidate addresses. >> >> all the best >> -gn >> > > _______________________________________________ > naviserver-devel mailing list > nav...@li... > https://lists.sourceforge.net/lists/listinfo/naviserver-devel |