tempesta icon indicating copy to clipboard operation
tempesta copied to clipboard
verified publisher icon tempesta-tech

[RFC 7239] Forwarded HTTP header & X-Real-IP

Open krizhanovsky opened this issue 6 years ago • 4 comments

Scope

We support X-Forwarded-For header while RFC 7239 introduces standard Forwarded header which also must be parsed as special header. At least following arguments must be processed:

  • [X] for as current X-Forwarded-For
  • [X] host as current Host header and URI host part. Tempesta must correctly choose the right host header (e.g. for HTTPtables) if all the hosts (from URI and Host and Forwarded headers) are different.
  • [ ] X-Real-IP is another header passing real client IP (just checked that my home router and 3G network proxy set this header)

The host parameter is crucial to keep an application (e.g. using redirects) working, see https://github.com/fideloper/TrustedProxy#why-does-this-matter

Also need to implement an equivalent option to Nginx's set_real_ip_from, e.g.

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;

~Probably the best way to store the IP addresses and netmasks is to use Htrie. A special index-only Htrie extension using very small data block, not extent as by default, must be developed. #910 requires data, but also needs static read-only HTrie with a very small data, so the #910 requirements must be addressed in the extension as well.~ UPDATE: this is wrong: HTrie is a dynamic data structure, optimized for high concurrency including updates and removals. A better way is to use a hash table with perfect hashing (which we can achieve on configuration). Alternate, probably somewhat worse, approach is to use a simple hash table with a bloom filter acceleration.

The addresses should be converted to IPv6 form.

Testing

A functional test must be developed as part of the task. Examples from the RFC must be in the test. Also the test for choosing the right host header (e.g. for HTTPtables) if all the hosts (from URI and Host and Forwarded headers) are different is required. Also test malicious values like mysite “><xss>.

krizhanovsky avatar Sep 16 '19 17:09 krizhanovsky

Hi, I currently working on this issue for my myself. I have almost done with first and second part. When I write tests I will PR. Can you assign it to me if you don't working on this task?

const-t avatar May 04 '22 13:05 const-t

Hi @const-t ,

I assigned the issue to you and we'll be happy to see a pull request from you!

krizhanovsky avatar May 04 '22 15:05 krizhanovsky

Parsing of forwarded header has been implemented. Functional tests also has been added . Now, we need to introduce support of X-Real-IP. X-Real-IP requires functional tests too.

const-t avatar Jul 05 '22 08:07 const-t

Also please see the TODO comment in https://github.com/tempesta-tech/tempesta/pull/1994 and do it

krizhanovsky avatar Nov 13 '23 15:11 krizhanovsky