search

apify / proxy-chain

Node.js implementation of a proxy server (think Squid) with support for SSL, authentication and upstream proxy chaining.
https://www.npmjs.com/package/proxy-chain
Apache License 2.0
804 stars 138 forks source link

Consider binding HTTP server to a specific hostname #525

Closed jancurn closed 7 months ago

jancurn commented 8 months ago

We got this report from a customer:

We were conducting penetration testing on our machines, when the tester noticed that the listeners of the proxy chain from Apify are not bound to localhost by default; take a look at this: https://github.com/apify/proxy-chain/blob/daecafb1802caef070e54a662e090d18cf2f336a/src/server.ts#L565 We are considering having a patch that introduces the following change: this.server.listen(this.port); -> this.server.listen(this.port, 'localhost'); But I wanted to ask you first:

  • Why it defaults not to bind the listener to localhost?
  • Are you aware of any consequences if we bind it to localhost to increase security? Will that affect the job of the proxy? Thanks,

Perhaps we should force localhost e.g. for usage from within anonymizeProxy()

drobnikj commented 7 months ago

This was done in https://github.com/apify/proxy-chain/releases/tag/v2.4.0