dropwhile
commented
7 years ago go-camo does indeed simply do what you tell it to. There are a couple of ways to handle this:
1) Run go-camo on an isolated instance.
2) Run a local resolver for go-camo that returns NXDOMAIN responses for addresses in blacklisted ranges. (e.g. unbound's private-address functionality). This is also useful to help prevent dns rebinding attacks in general.
3) Utilize firewall rules to isolate a go-camo server from the rest of your internal network.
Maybe adding simple rfc1918 (and fd00::/8 and fe80::/10) rejection by default (option flag), would be reasonable though. People could turn it off and do other things if they need a more exotic config.
I'll take a look at it -- especially since go-camo currently does try to filter out raw rfc1918 addresses if used directly in the host field of a url -- iit just doesn't try resolving real hostnames then checking currently.
alexzeitgeist
I had this log entry today:
2017/01/15 05:46:49 [error] 8403#8403: *73363 access forbidden by rule, client: 127.0.0.1, server: _, request: "GET /cnwk.1d/i/bto/20090806/iRex_DR800_mock.png HTTP/1.1", host: "i.i.com.com"
http://i.i.com.com/cnwk.1d/i/bto/20090806/iRex_DR800_mock.png used to point to an image; nowadays though, the host resolves to 127.0.0.1. Yet go-camo dutifully attempts to request the URL. This could potentially leak private information if there's a private server listening on 127.0.0.1.
I suggest to resolve a domain first before making the proxy request and deny it if the domain resolves to an rfc1918 address.