0xPolygonHermez / zkevm-node

Go implementation of a node that operates the Polygon zkEVM Network
Other
539 stars 699 forks source link

Switch to `X-Real-IP` header for IP Extraction #2291

Open Psykepro opened 1 year ago

Psykepro commented 1 year ago

Summary:

Once the necessary infrastructure changes are in place, we need to switch from using the X-Forwarded-For HTTP header to using the X-Real-IP HTTP header for retrieving the client's IP address.

Description:

Currently, our JSON RPC system fetches the client's IP address from the X-Forwarded-For HTTP header. This approach has known security risks as the X-Forwarded-For header can be manipulated, which could lead to IP spoofing. We plan to shift to using the X-Real-IP header, which is more secure and reliable, for fetching the client's IP address.

This issue is dependent on updates to our infrastructure that are currently underway. Once those updates are complete, we will be able to make the switch.

Steps:

  1. Update JSON RPC IP Extraction:

    • Modify the relevant JSON RPC methods to fetch the client's IP address from the X-Real-IP HTTP header.
  2. Implement IP Validation:

    • Ensure the IP address fetched from the X-Real-IP header is validated for format correctness and validity.
  3. Talk with Xavi if we need to enforce to have always non-empty and valid IP address in the header. (currently it is not enforced)

Motivation:

Switching to X-Real-IP for IP extraction will enhance our system's security by protecting against IP spoofing attacks. This change is critical to maintaining the integrity of our transaction logs and the overall reliability of our services.

Psykepro commented 1 year ago

Follow-up issue related to: https://github.com/0xPolygonHermez/zkevm-node/issues/2284