caddy-maxmind-geolocation icon indicating copy to clipboard operation
caddy-maxmind-geolocation copied to clipboard
verified publisher icon porech

Allow using 'x-forwarded-for' as source ip addr

Open XiaoliChan opened this issue 2 years ago • 4 comments

Now it can use 'x-forwarded-for' as the real source IP address, for some situations like the http server behind the Cloudflare

Enable it with forwarded_as_sources_ip

Test with Cloudflare CDN service:

  • Without forwarded_as_sources_ip, the module didn't detect my real source IP. image

  • With forwarded_as_sources_ip, the module now can detect my real source IP. image
    image

XiaoliChan avatar Jun 21 '23 06:06 XiaoliChan

This is insecure and should not be merged as-is. The X-Forwarded-For header is spoofable. (Someone could set the header to an IP from an allowed country then send that directly to Caddy)

Caddy provides a secure way of reading the data from that header via https://caddyserver.com/docs/caddyfile/options#trusted-proxies. The plugin could read from the client_ip stored in the request context, and match against that.

francislavoie avatar May 22 '24 19:05 francislavoie

This is insecure and should not be merged as-is. The X-Forwarded-For header is spoofable. (Someone could set the header to an IP from an allowed country then send that directly to Caddy)

Caddy provides a secure way of reading the data from that header via https://caddyserver.com/docs/caddyfile/options#trusted-proxies. The plugin could read from the client_ip stored in the request context, and match against that.

Yeah, that's correct. It's what I wanted to answer, then my wife had a baby and I totally forgot about this :P I'm gonna make the change to rely on Caddy's first-class support for this. PRs welcome meanwhile :)

ale-rinaldi avatar May 22 '24 19:05 ale-rinaldi

Yes, caddy now is support client_ip, before that, I used it long time ago.

XiaoliChan avatar May 23 '24 00:05 XiaoliChan

Yes, caddy now is support client_ip, before that, I used it long time ago.

Yeah, I see and I'm happy your fork solved the situation for you. Actually, first-class support for client IP was introduced with https://github.com/caddyserver/caddy/pull/5104 that dates a little before your pull request. That's why I never merged it: I planned to rely on Caddy official support, but I never managed to implement it and I forgot to update about this on this PR. My fault, sorry.

If you or @francislavoie or anyone else is willing to do a PR for this, that would be really appreciated.

ale-rinaldi avatar May 23 '24 13:05 ale-rinaldi

@ale-rinaldi

If you or @francislavoie or anyone else is willing to do a PR for this, that would be really appreciated.

Ready! PR https://github.com/porech/caddy-maxmind-geolocation/pull/26 and https://github.com/porech/caddy-maxmind-geolocation/pull/27

ZeroAnarchy avatar Aug 08 '24 03:08 ZeroAnarchy

Good job @ZeroAnarchy ! They're merged

ale-rinaldi avatar Aug 08 '24 06:08 ale-rinaldi