mod_http: Make RFC 7239 Forwarded opt-in for now to be safe
Supporting both methods at the same time may open to spoofing attacks,
whereby a client sends a Forwarded header that is not stripped by a
reverse proxy, leading Prosody to use that instead of the X-Forwarded-*
headers actually sent by the proxy.
By only supporting one at a time, it can be configured to match what the
proxy uses.
Disabled by default since implementations are sparse and X-Forwarded-*
are everywhere.
--- a/CHANGES Sat Jun 03 17:10:04 2023 +0200
+++ b/CHANGES Sat Jun 03 21:53:20 2023 +0200
@@ -42,7 +42,7 @@
- mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy
- Ability to use SQLite3 storage using LuaSQLite3 instead of LuaDBI
- Moved all modules into the Lua namespace `prosody.`
-- Forwarded header from RFC 7239 supported
+- Forwarded header from RFC 7239 supported, disabled by default
## Removed
--- a/plugins/mod_http.lua Sat Jun 03 17:10:04 2023 +0200
+++ b/plugins/mod_http.lua Sat Jun 03 21:53:20 2023 +0200
@@ -333,10 +333,16 @@
break
end
end
+ end
- -- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible.
- return ip, secure;
- end
+ return ip, secure;
+end
+
+-- TODO switch to RFC 7239 by default once support is more common
+if module:get_option_boolean("http_legacy_x_forwarded", true) then
+function get_forwarded_connection_info(request) --> ip:string, secure:boolean
+ local ip = request.ip;
+ local secure = request.secure; -- set by net.http.server
local forwarded_for = request.headers.x_forwarded_for;
if forwarded_for then
@@ -360,6 +366,7 @@
return ip, secure;
end
+end
module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
local request = event_data.request;