Closed simonelbaz closed 3 weeks ago
Seems like related to security plugin. Transfer the issue.
Thanks.
Hi @simonelbaz would you mind sharing your Just re-read the issue and it seems related to backend onlyopensearch_dashboards.yml
config?
@simonelbaz From my understanding of the code, its the IP address of the initiator of the request that's verified against internalProxies
not what's passed in the XFF header. See https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/http/RemoteIpDetector.java#L119-L144
// originalRemoteAddr need to be in the list of internalProxies
The XFF header comes into the picture in the Backend Registry here. The XFFResolver is responsible for getting the original IP Address of the request. For non-proxied requests that's the IP address of the web request, but for proxied requests it extracts that through the XFF header.
In your example, where are you sending the request from?
In your example, where are you sending the request from?
The curl command is ran from the proxy having the following IP address: 192.168.176.40
(the same as internalProxies
)
So there is no security issue from the code snippet you mention.
Thanks for your feedback
Describe the bug
Hi,
During
proxy-based
authentication, the IP address contained in remoteIpHeader seems not verified with the list of internalProxies. User can set any IP address, the request is authorized. From my understanding, only the internalProxies list should be accepted.It verifies the remoteIpHeader presence, the IP address format but not the address value.
Thanks for your feedback
Related component
Clients
To Reproduce
config.yml:
The curl command:
Result of the command:
Expected behavior
Opensearch should not authorize the request if
remoteIpHeader
value does not matchinternalProxies
listAdditional Details
Plugins Please list all plugins currently enabled.
Screenshots If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
Additional context Add any other context about the problem here.