integrate proxy-addr

[tj]

re: expressjs/expressjs.com#152 (comment)
or whatever we decide is the way to go in those discussions

https://github.com/expressjs/proxy-addr/

[jonathanong]

need to make a PR with https://github.com/expressjs/proxy-addr. i'm not 100% sure what's going on here, but at least it'll match express

[jonathanong]

waiting until @dougwilson redos proxy-addr to the point i can understand :D

[dougwilson]

@jonathanong I'll try to get something today, time pending :) From the title of this, are you intending to use it to do hop counting instead of whitelisting?

[tj]

opened this during the discussion before, I'm cool with doing whatever we end up doing in express, might as well keep them similar

[dougwilson]

Thanks @visionmedia :) Express allows for both. I'm basically working to rip out all those accessors for express into a module to use cross-project (req.secure, req.protocol, req.ip, req.ips, req.host). It can be implemented easily in koa now, but it'd be some copy-pasta from express until those are moved into a direct library.

[tj]

sweet! even if we have:

req = new Forwarded(req);
req.ip
req.ips
req.secure
req.protocol

it would be easy to wrap up so we're not directly manipulating req until the framework level. I just saw the official support for Forwarded in the new http 1.1 spec thing too, not sure how fast people will roll that out but having a similar set of libs between express/koa/others would definitely be sweet

[dougwilson]

I just saw the official support for Forwarded in the new http 1.1 spec thing too

Yea, I saw that too and it is nice that there is something official now :) I was thinking of adding it, but adding support for it right now is a security risk, because no proxies are filtering out Forwarded, so it's super easy to forge currently. It would have to be like opt-in or something if you know your proxy is generating Forwarded headers instead of the old headers or whatever.

[jonathanong]

@dougwilson what do you think about integrating this now?

[jonathanong]

@dougwilson or are you still planning to release a trust module?

[dougwilson]

proxy-addr will be split apart some more at some point, but AFAIK there isn't a reason proxy-addr cannot be used as-is currently in koa.

[jonathanong]

👍

[amit777]

Hi, we noticed an issue when there are potentially multiple proxies and app.proxy = true. We occasionally end up with private IP addresses in the logs. I think the situation can happen in this example:

User (10.1.1.1) -> Corporate Web Proxy(1.1.1.1) ->  Our HAProxy(2.2.2.2) -> KoaApp (10.2.2.2)

in this scenereo, 10.1.1.1 is returned in this.ip instead of 1.1.1.1

Maybe we also could use another option called "app.filterPrivateIps = true" which will actually filter out any RFC1918 ips from this.ips. indutny's "ip" module has an .isPrivate() method that may be helpful.

[amit777]

Oh cool, it looks like proxy-addr actually may solve the exact issue I described above.

[ruimarinho]

@amit777 this may or may not be an option depending on your setup, but one alternative thing you can do is to filter those ips before they hit the koa app. nginx allows this via the realip, i.e. to trust the X-Forwarded-For header by pre-setting a list of trusted ips (including private ones).

[jonathanong]

o i c. proxy-addr doesn't do as much as i thoguht it would in its current form. right now, the benefit is minimal.

• v1.0.0-rc.1 jshttp/forwarded#1
• parse all X-Forwarded-* headers with trust

[amit777]

Just as a note, I found this in one of my logs even though I don't have ipv6 enabled on the server. Seems like some strange proxy setting headers in a funny way. The IP address at the end is my own public ip (though i've changed it to something random and invalid for anonymity).

::ffff:267.211.128.66

[amit777]

Altenatively, maybe could have something like an array of trusted headers by priority...

app.trustedProxyHeaders = ['X-Real-IP', 'X-Forwaded-For'] and then the app.ips() method could use that. I'm going to configure HAProxy to set the X-Real-IP, but I was hoping for a simple way for me to configure all my koa apps to pick it up. ALl my koa apps sit behind haproxy.

[ahmadnassri]

FYI for anybody interested: resumed progress on jshttp/forwarded/pull/1 any assistance is welcome, whether in the form of review, feedback, contribution, or simply cheering :)