search

element-hq / dendrite

Dendrite is a second-generation Matrix homeserver written in Go!
https://element-hq.github.io/dendrite/
GNU Affero General Public License v3.0
11 stars 3 forks source link

Get IP from "standard" HTTP headers #3287

Open matrixbot opened 2 weeks ago

matrixbot commented 2 weeks ago

This issue was originally created by @S7evinK at https://github.com/matrix-org/dendrite/issues/3287.

...

But, if I may, do you think Dendrite should perhaps auto-try any of the standard "this is the client's real IP" headers automatically? Do you see any downsides in doing that? For what it's worth, from my limited self-hosting experience, many applications do it automatically, given the current trends in hosting stuff (everything behind reverse proxy or ingress or whatever)

Best regards Zbig

Originally posted by @zbig-t in https://github.com/matrix-org/dendrite/issues/3286#issuecomment-1853767516

matrixbot commented 2 weeks ago

This comment was originally posted by @S7evinK at https://github.com/matrix-org/dendrite/issues/3287#issuecomment-1858517012.

Change somewhere here (or in this file): https://github.com/matrix-org/dendrite/blob/d65449c7822e89b506bf2caa7a098e38970f6f27/syncapi/sync/requestpool.go#L176-L204

matrixbot commented 2 weeks ago

This comment was originally posted by @zbig-t at https://github.com/matrix-org/dendrite/issues/3287#issuecomment-1858526862.

Thanks, I think (hope) that's not beyond my abilities. Will create a PR once I mange to take care of that.

matrixbot commented 2 weeks ago

This comment was originally posted by @Curious-r at https://github.com/matrix-org/dendrite/issues/3287#issuecomment-1859139144.

I think it's necessary. Now I'm use X-Forwarded-For instead of X-Real-ip, because the former exists in a lot of reverse proxies as a standard header。

matrixbot commented 2 weeks ago

This comment was originally posted by @bones-was-here at https://github.com/matrix-org/dendrite/issues/3287#issuecomment-1862563401.

None of these headers are safe to trust in the default configuration, unless Dendrite will never use the information for anything important.

To be trustworthy the IP header must be set by a trusted reverse proxy that also discards any (potentially spoofed) information it receives in these headers. The various proxy implementations have different default behaviours, might not be using their defaults, or the admin might not be using a proxy at all.