search

docker-archive / dockercloud-haproxy

HAproxy image that autoreconfigures itself when used in Docker Cloud
https://cloud.docker.com/
651 stars 187 forks source link

Option to strip X-Forwarded-Proto #152

Closed steffkes closed 7 years ago

steffkes commented 7 years ago

Just started using dockercloud-haproxy, mainly for SSL-Termination. First thing i've noticed is, that there is an option SKIP_FORWARDED_PROTO that (as the name implies) does not add a separate header, just assuming it operates behind another load balancer that already did that.

what i'm missing is an option to strip any incoming X-Forwarded-Proto header, because otherwise the client would be able to supply malicious information to my application. obviously you can help yourself already by using extra settings like:

EXTRA_FRONTEND_SETTINGS_<PORT>: reqidel ^X-Forwarded-Proto:.*

at least i'd expect to have an option for it .. so i'd be interested in what others think about this? if there is interested - or at least no rejection - i'd try and come up with a PR for it.

WDYT?

tifayuki commented 7 years ago

@steffkes In the haproxy script that generates the haproxy configuration, it automatically adds reqadd X-Forwarded-Proto:\ <http/https> instruction, based on whether the frontend uses SSL or not. SKIP_FORWARDED_PROTO is added because some users don't like this auto-generated header.

As to remove any headers that comes from the user request, it is up to the the user to manage it. As you said, yes, a user can use EXTRA_FRONTEND_SETTINGS_<PORT> to do it, which is more like a generic way to solve problems.

If you think it is worth to create a set of Env vars to fulfill the needs, a PR is always welcomed.

Thank you

steffkes commented 7 years ago

@tifayuki i know, i've read through the configs as well as the scripts that generate them :)

i was just surprised, that we have an option to not add the headers on the request .. but none to remove incoming headers.

since this is used in production as well, and not only meant for debugging .. this is one of the first things i was looking after, to avoid any problems because the client is able to pass through information that is relevant for the question how to handle the request.

which led me to think that stripping incoming headers is a more common case than other things we do have an option for. once you have the EXTRA_FRONTEND_SETTINGS going, it's perfectly fine of course as well.

so instead of simply asking an option, just because i was needing (or rather expecting) it .. i wanted to ask how others think about - don't need to add it, just because ;>

-Stefan

tifayuki commented 7 years ago

Looks no ones has options on this, close the issue at the moment