search

tempesta-tech / tempesta

All-in-one solution for high performance web content delivery and advanced protection against DDoS and web attacks
https://tempesta-tech.com/
GNU General Public License v2.0
614 stars 103 forks source link

[RFC 7239] Forwarded HTTP header & X-Real-IP #1350

Open krizhanovsky opened 5 years ago

krizhanovsky commented 5 years ago

Scope

We support X-Forwarded-For header while RFC 7239 introduces standard Forwarded header which also must be parsed as special header. At least following arguments must be processed:

The host parameter is crucial to keep an application (e.g. using redirects) working, see https://github.com/fideloper/TrustedProxy#why-does-this-matter

Also need to implement an equivalent option to Nginx's set_real_ip_from, e.g.

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;

Probably the best way to store the IP addresses and netmasks is to use Htrie. A special index-only Htrie extension using very small data block, not extent as by default, must be developed. #910 requires data, but also needs static read-only HTrie with a very small data, so the #910 requirements must be addressed in the extension as well. The addresses should be converted to IPv6 form.

Testing

A functional test must be developed as part of the task. Examples from the RFC must be in the test. Also the test for choosing the right host header (e.g. for HTTPtables) if all the hosts (from URI and Host and Forwarded headers) are different is required. Also test malicious values like mysite “><xss>.

const-t commented 2 years ago

Hi, I currently working on this issue for my myself. I have almost done with first and second part. When I write tests I will PR. Can you assign it to me if you don't working on this task?

krizhanovsky commented 2 years ago

Hi @const-t ,

I assigned the issue to you and we'll be happy to see a pull request from you!

const-t commented 2 years ago

Parsing of forwarded header has been implemented. Functional tests also has been added . Now, we need to introduce support of X-Real-IP. X-Real-IP requires functional tests too.

krizhanovsky commented 10 months ago

Also please see the TODO comment in https://github.com/tempesta-tech/tempesta/pull/1994 and do it