Closed daxxog closed 3 years ago
Can we add those lines commented? I don't want to force everyone to have that enabled.
@pitbulk They are conditional and wouldn't be used unless those header(s) are set. What would be the downside of having these in here uncommented?
e.g. in nginx
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:443;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto https;
The X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto, and X-Forwarded-Host headers are not trusted for security reasons, because it is not possible to know the order in which already existing fields were added (as per Forwarded HTTP Extension).
https://devcenter.heroku.com/articles/http-routing#heroku-headers
The "Forwarded" HTTP header field cannot be relied upon to be correct, as it may be modified, whether mistakenly or for malicious reasons, by every node on the way to the server, including the client making the request.
One approach to ensure that the "Forwarded" HTTP header field is correct is to verify the correctness of proxies and to whitelist them as trusted. This approach has at least two weaknesses. First, the chain of IP addresses listed before the request came to the proxy cannot be trusted. Second, unless the communication between proxies and the endpoint is secured, the data can be modified by an attacker with access to the network.
https://tools.ietf.org/html/rfc7239.html 8.1. Header Validity and Integrity
Make sense, I will update this PR in a few days to reflect your suggested changes and put some comments so users know what this bit is for.
This PR helps when running a reverse proxy in front of the pyramid demo by overriding
request.scheme
andrequest.server_port
when the properX-Forwarded
headers are set.