Firewall
Firewall copied to clipboard
dustinmoris
X-Forwarded-For HTTP Header isn't used
I think that the value of X-Forwarded-For is not set in the RemoteIpAddress as stated in the doc. A custom rule is required for load balancers forwarding this header.
@nickntg Do you know of a temporary workaround for this while we wait for the fix to be merged?
The RemoteIpAddress should be set automatically by the corresponding ASP.NET Core middleware if you have configured it correctly. Obviously you must plug the forwarded for middleware before the firewall middleware for it to be picked up by the firewall as well. If the RemoteIpAddress is not set correctly then the forwarded for middleware is misconfigured. I don't think there is a bug in the firewall here. Maybe show me some code of your middlewares and I can help diagnose the issue.
A common error I see if that the Forwarded header middleware only trusts localhost proxies by default. The RemoteIpAddress etc will not be set if the proxy if not running on locahost. See https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-8.0.
The following shows how to bypass that for testing, for prod you should specify the proxy - see example
// Sort out headers so works in front of a proxy
var config = new ForwardedHeadersOptions()
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto,
ForwardLimit = 100
};
// https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-8.0
// By default the code only trusts localhost proxies, which doesn't help us in Docker or K8s.
config.KnownProxies.Clear();
config.KnownNetworks.Clear(); ;
app.UseForwardedHeaders(config);
The
RemoteIpAddressshould be set automatically by the corresponding ASP.NET Core middleware if you have configured it correctly. Obviously you must plug the forwarded for middleware before the firewall middleware for it to be picked up by the firewall as well. If theRemoteIpAddressis not set correctly then the forwarded for middleware is misconfigured. I don't think there is a bug in the firewall here. Maybe show me some code of your middlewares and I can help diagnose the issue.
So with this, I have added the configuration as it is highlighted in the docs, see the screenshot below (we are using this along with Yarp), and it seems to work on my local machine but does not map the remote IP address correctly in our Kubernetes environment where the traffic is controlled using an nginx controller that plays a load balancer role, it keeps the Nginx pod's IP address as the remote IP address.
This is just a snippet of where the firewall is configured with some debug logs when the access denied delegate is triggered.
Could the problem be the fact that I am configuring the firewall on the Yarp pipeline?
The
RemoteIpAddressshould be set automatically by the corresponding ASP.NET Core middleware if you have configured it correctly. Obviously you must plug the forwarded for middleware before the firewall middleware for it to be picked up by the firewall as well. If theRemoteIpAddressis not set correctly then the forwarded for middleware is misconfigured. I don't think there is a bug in the firewall here. Maybe show me some code of your middlewares and I can help diagnose the issue.So with this, I have added the configuration as it is highlighted in the docs, see the screenshot below (we are using this along with Yarp), and it seems to work on my local machine but does not map the remote IP address correctly in our Kubernetes environment where the traffic is controlled using an nginx controller that plays a load balancer role, it keeps the Nginx pod's IP address as the remote IP address.
This is just a snippet of where the firewall is configured with some debug logs when the access denied delegate is triggered.
Could the problem be the fact that I am configuring the firewall on the Yarp pipeline?
Read my comment - you need to either clear the KnownProxies, or add your K8 ingress as a KnownProxy.