undefined | Better HN

0 pointsremram5y ago0 comments

AFAIK the common issue is software written or configured to read the header but deployed without a reverse proxy. If the load balancer is configured to set it, are there still security issues?

0 comments

whatsmyusername5y ago

It isn't unknown for software to have problems in the OTHER direction with the Proxy header. Guzzle had this, where you could set a Proxy request header and all the curl requests would try to use the address you sent for it's calls.

Any header the user can set is always suspect.

We 'use' it when the ALB sets it for real-client-ip in nginx (while understanding that if something looks weird we should look at the full header). However a better solution is if your edge service sets (and protects, that's important) a header with the client IP to use that.

Cloudflare does this. Fastly does this as well, and I know Fastly protects it because I tested this specifically.

Cloudflare actually can set it in two different ways, however one of the ways is an upsell (only because it names it Real-Client-Ip which is apparently something set by other products, including Fastly). I was very amused when I got the Cloudflare rep to admit that.

tylergetsay5y ago

Depends, some load balancers may think they are behind another load balancer, and forward the header. This is default behavior iirc.

shreyansh_k5y ago

A well behaving reverse proxy or load balancer would not cause security issues. The header contains both 'for' and 'by' parameters. If they are properly filled by the proxies, then it's not a security issue.

source: author of django-forwarded middleware, finds client IP from XFF header.

j / k navigate · click thread line to collapse