search

ipfs / kubo

An IPFS implementation in Go
https://docs.ipfs.tech/how-to/command-line-quick-start/
Other
16.18k stars 3.01k forks source link

Respect RFC 7239 (`Forwarded` header), `X-Forwarded-For`, and/or `X-Real-IP` #8193

Open TheDiscordian opened 3 years ago

TheDiscordian commented 3 years ago

Currently when using Nginx as a reverse proxy, go-ipfs seems list all peers connecting through the reverse proxy as 127.0.0.1 (ipfs swarm peers). I couldn't find a way to discover their actual IP address, which can be incredibly useful for tools like fail2ban. I'm hoping for go-ipfs to support RFC 7239 and/or the X-Forwarded-For, and/or X-Real-IP headers. These are documented quite well here.

My apologies if I missed the feature!

Stebalien commented 3 years ago

Given that you're saying ipfs swarm peers, I assume you're referring to the websocket transport. If so, we can't just blindly trust these headers.

However, I guess we could add a config option to trust certain proxies. We'd need to:

  1. Add a feature to the websocket libp2p transport to perform these translations.
  2. Add a "trusted proxies" config option to the go-ipfs config and pipe this information through to libp2p.
fusetim commented 3 years ago

linked to: libp2p/go-libp2p#1437

fusetim commented 3 years ago

Would it be possible to incorporate support for Proxy Protocol as well? I need for IPv6 compatibility, a relay before the connection reaches go-ipfs. At the moment, the IPs displayed for the connections going through this relay are therefore partly wrong, their IP being replaced by the TCP relay.

Stebalien commented 3 years ago

See https://github.com/libp2p/go-libp2p/issues/1065. As you can see, I have some objections to the entire concept of the "proxy protocol", but I'm not strictly opposed to a clean implementation.

However, the core team is unlikely to work either of these features in the near future.

TheDiscordian commented 3 years ago

However, the core team is unlikely to work either of these features in the near future.

My use-case, and reason for opening this issue is I'm trying to blacklist a peer that floods my connections (I don't know why it's doing it, but it opens 5, closes 5, repeat). Is there any way to do that in go-ipfs currently? As I can't get the IP because go-ipfs doesn't support SSL or the headers I'd use to get the IP from a reverse proxy. Just having the IP allows me to chuck it into iptables and handle the rest myself, but currently I don't see any path to reliably retrieve the correct IP for a peer connecting over WSS.