sentry icon indicating copy to clipboard operation
sentry copied to clipboard

Published 20 hours ago verified publisher icon getsentry

Use last forwarded IP

Open ryanhiebert opened this issue 10 months ago • 4 comments

Well-behaved forwarders will append the IP they're forwarding for to an existing list. In the most typical case, this means that only the last one is trustworthy from a spoofing request-maker.

And all this is assuming that the proxy itself is trusted.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

ryanhiebert avatar Apr 15 '24 11:04 ryanhiebert

mind adding a test in

Looks like there was already a test of the old behavior. I updated it to reflect the new behavior.

ryanhiebert avatar Apr 16 '24 01:04 ryanhiebert

fwiw, this is general good practice for use in front of load balancers, but I don't know nearly enough about the many ways that Sentry is used to know whether this is an important attack vector. I'm reading some comments about using X-Forwarded-For as an API to communicate from a tunnel to the server, and I really don't know how this would interact with scenarios like that.

ryanhiebert avatar Apr 19 '24 01:04 ryanhiebert

fwiw, this is general good practice for use in front of load balancers, but I don't know nearly enough about the many ways that Sentry is used to know whether this is an important attack vector. I'm reading some comments about using X-Forwarded-For as an API to communicate from a tunnel to the server, and I really don't know how this would interact with scenarios like that.

Yes I'm talking with some SRE folks internally about some of the security details of this -- been a long time since i ran a server :) hope to make progress on this soon.

JoshFerge avatar Apr 19 '24 03:04 JoshFerge

I'm currently having to put my Sentry tunnel behind an Apache proxy which is behind an ALB. And I can't figure out how to get Apache to not mess with the X-Forwarded-* headers. So for the risks of spoofing, getting the first from the list is actually probably better for me at the moment, so that I don't have to rewrite those headers in my tunnel, I can just pass them along.

ryanhiebert avatar Apr 26 '24 18:04 ryanhiebert