search

m13253 / dns-over-https

High performance DNS over HTTPS client & server
https://developers.google.com/speed/public-dns/docs/dns-over-https
MIT License
1.99k stars 221 forks source link

Cannot not handle X-Forwarded-For properly #153

Open gili-gili opened 1 year ago

gili-gili commented 1 year ago

Using caddy as reverse proxy and Cloudflare as CDN service.
Cannot read client real IP with header X-Forwarded-For
Part of caddy configuration: 

            {
              "match": [
                {
                  "host": ["example.com"]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "match": [
                        {
                          "path": ["/dns-query"]
                        }
                      ],
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "X-Forwarded-For": ["{http.request.header.CF-Connecting-IP}"]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "127.0.0.1:8053"
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "handler": "file_server",
                          "root": "/path/to/caddy"
                        }
                      ],
                      "terminal": true
                    }
                  ]
                }
              ]
            }

If I replace X-Forwarded-For with X-Real-IP, then the server is able to read client real IP. I don't know if this is caused by caddy or dns-over-https.

m13253 commented 1 year ago

Doh-server is programmed to require the client IP to be a globally routable IP. (In other words, if your server is in the same private network with your client, doh-server may see something like 192.168.114.191 and decide to ignore that, since it cannot help with GeoDNS.)

Can you check whether the submitted X-Forwarded-For IP is a globally routable one?

If there are multiple X-Forwarded-For IPs, doh-server deletes any non-global IPs and then chooses the farthest one on the proxy chain for GeoDNS.