Mercurial > prosody-hg
comparison plugins/mod_http.lua @ 13127:f45a29b32f7a
mod_http: Make RFC 7239 Forwarded opt-in for now to be safe
Supporting both methods at the same time may open to spoofing attacks,
whereby a client sends a Forwarded header that is not stripped by a
reverse proxy, leading Prosody to use that instead of the X-Forwarded-*
headers actually sent by the proxy.
By only supporting one at a time, it can be configured to match what the
proxy uses.
Disabled by default since implementations are sparse and X-Forwarded-*
are everywhere.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 03 Jun 2023 21:53:20 +0200 |
| parents | d043834f15d2 |
| children | 7a6874f9fd40 |
comparison
equal
deleted
inserted
replaced
| 13126:d043834f15d2 | 13127:f45a29b32f7a |
|---|---|
| 331 secure = secure and proxy.proto == "https"; | 331 secure = secure and proxy.proto == "https"; |
| 332 else | 332 else |
| 333 break | 333 break |
| 334 end | 334 end |
| 335 end | 335 end |
| 336 | 336 end |
| 337 -- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible. | 337 |
| 338 return ip, secure; | 338 return ip, secure; |
| 339 end | 339 end |
| 340 | |
| 341 -- TODO switch to RFC 7239 by default once support is more common | |
| 342 if module:get_option_boolean("http_legacy_x_forwarded", true) then | |
| 343 function get_forwarded_connection_info(request) --> ip:string, secure:boolean | |
| 344 local ip = request.ip; | |
| 345 local secure = request.secure; -- set by net.http.server | |
| 340 | 346 |
| 341 local forwarded_for = request.headers.x_forwarded_for; | 347 local forwarded_for = request.headers.x_forwarded_for; |
| 342 if forwarded_for then | 348 if forwarded_for then |
| 343 -- luacheck: ignore 631 | 349 -- luacheck: ignore 631 |
| 344 -- This logic looks weird at first, but it makes sense. | 350 -- This logic looks weird at first, but it makes sense. |
| 358 | 364 |
| 359 secure = secure or request.headers.x_forwarded_proto == "https"; | 365 secure = secure or request.headers.x_forwarded_proto == "https"; |
| 360 | 366 |
| 361 return ip, secure; | 367 return ip, secure; |
| 362 end | 368 end |
| 369 end | |
| 363 | 370 |
| 364 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) | 371 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data) |
| 365 local request = event_data.request; | 372 local request = event_data.request; |
| 366 if request and is_trusted_proxy(request.ip) then | 373 if request and is_trusted_proxy(request.ip) then |
| 367 -- Not included in eg http-error events | 374 -- Not included in eg http-error events |
