http icon indicating copy to clipboard operation
http copied to clipboard

Published 20 hours ago verified publisher icon nette

HTTPS and mod_remoteip

Open kncsvk opened this issue 6 years ago • 3 comments
trafficstars

  • bug fix
  • BC break? no

I have web server setup with HTTP proxy and Apache web server with module mod_remoteip (This mod replace REMOTE_ADDR to real client IP instead of proxy IP). HTTP works as expected but with HTTPS I have these problems:

With router: $router[] = new Route('<presenter>/<action>[/<id>]', 'Dashboard:default'); Result URL was https://example.com:80/

With router: $router[] = new Route('https://%host%/<presenter>/<action>[/<id>]', 'Dashboard:default'); Result in browser was redirect loop (ERR_TOO_MANY_REDIRECTS)

I searched in code and found that HTTP_X_FORWARDED* headers are ignored if they din't come from trusted proxy. After bypassing this check for HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_PORT router works again as expected. I don't see any security problem if these two variables didn't come from trusted proxy.

kncsvk avatar Jan 06 '19 06:01 kncsvk

You can spam application with shitload of errors if app breaks with an incompatible url. In worst case would be e.g. possible send user an email with url of attacker website.

mabar avatar Jul 01 '19 07:07 mabar

You can always mark all proxies as trusted with setProxy('0.0.0.0/0') if your network setup ensures that your app is always behind trusted proxy.

JanTvrdik avatar Jul 01 '19 14:07 JanTvrdik

@kncsvk does this work for you: (https://doc.nette.org/cs/3.0/configuring#toc-http-proxy)

http:
    proxy: 0.0.0.0/0

dg avatar Jul 03 '19 13:07 dg