v2ray-core icon indicating copy to clipboard operation
v2ray-core copied to clipboard

V2Ray 对 X-Forwarded-For 的处理存在问题

Open AkinoKaede opened this issue 4 years ago • 12 comments

首先特别感谢 @rhjdvsgsgks

你正在使用哪个版本的 V2Ray?

v4.38.3

你看到的异常现象是什么?

V2Ray 优先使用 X-Forwarded-For 中的第一个值作为 WebSocket 和 HTTP/2 传输层入站的来源 IP,且无法关闭。客户端可以任意伪造 X-Forwarded-For

测试配置

服务端配置:

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 12456,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "1587873b-edf6-4f43-bfdc-ba5311b4978a",
                        "level": 1,
                        "email": "[email protected]"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "ws",
                "wsSettings": {
                    "path": "/"
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}

客户端配置:

{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": "10800",
            "protocol": "socks",
            "settings": {
                "auth": "noauth",
                "udp": true,
                "ip": "127.0.0.1"
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "127.0.0.1",
                        "port": 12456,
                        "users": [
                            {
                                "id": "1587873b-edf6-4f43-bfdc-ba5311b4978a",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "ws",
                "wsSettings": {
                    "path": "/",
                    "headers": {
                        "Host": "test.com",
                        "X-Forwarded-For": "8.8.8.8"
                    }
                }
            },
            "tag": "proxy"
        },
        {
            "protocol": "freedom",
            "tag": "direct"
        }
    ]
}

请附上出错时软件输出的错误日志

服务器端错误日志:

2021/05/26 13:08:55 8.8.8.8:0 accepted tcp:www.google.com:443 email: [email protected]

AkinoKaede avatar May 26 '21 05:05 AkinoKaede

另外,就算改为取最后一个,在不经过 Nginx 等服务器附加 X-Forwarded-For 情况下,仍然会存在此问题。

AkinoKaede avatar May 26 '21 05:05 AkinoKaede

好尴尬的现象

客户端取消 Header 内对 X-Forwarded-For 的支持,当然这是最坏的打算

CalmLong avatar May 26 '21 23:05 CalmLong

好尴尬的现象

客户端取消 Header 内对 X-Forwarded-For 的支持,当然这是最坏的打算

最简单的方法就是加个配置用来启用或者关闭这个功能吧…

AkinoKaede avatar May 27 '21 11:05 AkinoKaede

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Forwarded-For#%E8%A7%84%E8%8C%83

虽然是一个约定成俗的规范,但实际上并不是一个规范

CalmLong avatar May 28 '21 00:05 CalmLong

正确的做法是添加一个可信的代理列表,比如127.0.0.1,然后从后向前依次匹配,直到找到一个不可信的ip,取这个ip作为client ip 也可以直接指定代理的层数i,取for[-i]作为真实ip,werkzeug就是这么做的

个人觉得可以在wsSettings和httpSettings中添加类型为字符串列表的配置项trustedProxies

frankli0324 avatar Jun 11 '21 09:06 frankli0324

我觉得这个没有问题 nginx $remote_addr 与 $proxy_add_x_forwarded_for的区别 如果不想有伪造使用$remote_addr就好了! proxy_set_header X-Forwarded-For $remote_addr;

ilpl avatar Jun 20 '21 05:06 ilpl

我觉得这个没有问题 nginx $remote_addr 与 $proxy_add_x_forwarded_for的区别 如果不想有伪造使用$remote_addr就好了! proxy_set_header X-Forwarded-For $remote_addr;

并不是每一个用户都会在入站前用 Nginx 转发一次……

AkinoKaede avatar Jun 20 '21 14:06 AkinoKaede

诸如CDN,LB这样的反代是v2用户没有控制权的。一个正确的实现是必要

frankli0324 avatar Jun 20 '21 17:06 frankli0324

This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Oct 19 '21 01:10 github-actions[bot]

这里的问题应该at谁?

frankli0324 avatar Oct 19 '21 04:10 frankli0324

This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Feb 20 '22 01:02 github-actions[bot]

why is this issue STILL not closed?

frankli0324 avatar May 12 '22 19:05 frankli0324

This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Sep 10 '22 02:09 github-actions[bot]