diff options
| author | Kim Alvefur <zash@zash.se> | 2023-06-03 21:53:20 +0200 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2023-06-03 21:53:20 +0200 |
| commit | 16381e754de9c633c080784286ff2b141299e136 (patch) | |
| tree | 2a2bf0e4d16d58524f63e58da293420d6890d977 | |
| parent | 8c92b32b7aa5b1457663bf39c4891fcc11fce8e5 (diff) | |
| download | prosody-16381e754de9c633c080784286ff2b141299e136.tar.gz prosody-16381e754de9c633c080784286ff2b141299e136.zip | |
mod_http: Make RFC 7239 Forwarded opt-in for now to be safe
Supporting both methods at the same time may open to spoofing attacks,
whereby a client sends a Forwarded header that is not stripped by a
reverse proxy, leading Prosody to use that instead of the X-Forwarded-*
headers actually sent by the proxy.
By only supporting one at a time, it can be configured to match what the
proxy uses.
Disabled by default since implementations are sparse and X-Forwarded-*
are everywhere.
| -rw-r--r-- | CHANGES | 2 | ||||
| -rw-r--r-- | plugins/mod_http.lua | 13 |
2 files changed, 11 insertions, 4 deletions
@@ -42,7 +42,7 @@ TRUNK - mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy - Ability to use SQLite3 storage using LuaSQLite3 instead of LuaDBI - Moved all modules into the Lua namespace `prosody.` -- Forwarded header from RFC 7239 supported +- Forwarded header from RFC 7239 supported, disabled by default ## Removed diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua index edf220a8..9e07bbea 100644 --- a/plugins/mod_http.lua +++ b/plugins/mod_http.lua @@ -333,11 +333,17 @@ local function get_forwarded_connection_info(request) --> ip:string, secure:bool break end end - - -- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible. - return ip, secure; end + return ip, secure; +end + +-- TODO switch to RFC 7239 by default once support is more common +if module:get_option_boolean("http_legacy_x_forwarded", true) then +function get_forwarded_connection_info(request) --> ip:string, secure:boolean + local ip = request.ip; + local secure = request.secure; -- set by net.http.server + local forwarded_for = request.headers.x_forwarded_for; if forwarded_for then -- luacheck: ignore 631 @@ -360,6 +366,7 @@ local function get_forwarded_connection_info(request) --> ip:string, secure:bool return ip, secure; end +end module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) local request = event_data.request; |