-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for Trusted Proxy Detection on Forwarded Requests #44184
Add Support for Trusted Proxy Detection on Forwarded Requests #44184
Conversation
This commit introduces a way to determine if a request behind a proxy has been forwarded by a trusted proxy. It implements a custom header (`X-Forwarded-Trusted-Proxy`) that allows request processing to verify the presence of this header, indicating the request originated from a trusted source. To prevent forgery, any incoming request containing this custom header has it removed before further processing.
Status for workflow
|
🎊 PR Preview d085393 has been successfully built and deployed to https://quarkus-pr-main-44184-preview.surge.sh/version/main/guides/
|
Status for workflow
|
I've added the backport label because it was requested. Now, it's a feature (minimal but still a feature), so I won't fight for it. If it merges clean, that's okay. |
…us-googlecloud-jsonlogging!24) This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.quarkus:quarkus-extension-processor](https://github.com/quarkusio/quarkus) | | patch | `3.16.1` -> `3.16.3` | | [io.quarkus:quarkus-extension-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.16.1` -> `3.16.3` | | [io.quarkus:quarkus-bom](https://github.com/quarkusio/quarkus) | import | patch | `3.16.1` -> `3.16.3` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `3.16.1` -> `3.16.3` | --- ### Release Notes <details> <summary>quarkusio/quarkus</summary> ### [`v3.16.3`](quarkusio/quarkus@3.16.2...3.16.3) [Compare Source](quarkusio/quarkus@3.16.2...3.16.3) ### [`v3.16.2`](https://github.com/quarkusio/quarkus/releases/tag/3.16.2) [Compare Source](quarkusio/quarkus@3.16.1...3.16.2) ##### Complete changelog - [#​34824](quarkusio/quarkus#34824) - AmazonLambdaRecorder Handler Discovery Erroneously Considers Decorators - [#​38086](quarkusio/quarkus#38086) - Documentation about `RecordCodecProvider` in MongoDB with Panache - [#​42149](quarkusio/quarkus#42149) - Upgrade Postgres 16 - [#​44039](quarkusio/quarkus#44039) - WebSockets Next: create a new event loop context for each client - [#​44132](quarkusio/quarkus#44132) - Update getting-started-reactive.adoc - [#​44149](quarkusio/quarkus#44149) - Fix Config Error Screen - [#​44152](quarkusio/quarkus#44152) - Do not throw NPE in AfterAll interceptor if application didn't start - [#​44155](quarkusio/quarkus#44155) - Amazon Lambda - Support decorators - [#​44156](quarkusio/quarkus#44156) - Make OidcRequestContextProperties modifiable - [#​44178](quarkusio/quarkus#44178) - Bump com.fasterxml.jackson:jackson-bom from 2.18.0 to 2.18.1 - [#​44183](quarkusio/quarkus#44183) - Properly apply the update recipes in version order - [#​44184](quarkusio/quarkus#44184) - Add Support for Trusted Proxy Detection on Forwarded Requests - [#​44185](quarkusio/quarkus#44185) - Repeating `@PermissionsAllowed` annotations totally disable method authentication - [#​44189](quarkusio/quarkus#44189) - Small improvements to the Deploying to Google Cloud guide - [#​44190](quarkusio/quarkus#44190) - ResteasyReactiveProcessor#setupEndpoints reports duplicate endpoints when a rest client matches a resource - [#​44191](quarkusio/quarkus#44191) - Update PostgreSQL image to 17 - [#​44201](quarkusio/quarkus#44201) - Broken link - [#​44202](quarkusio/quarkus#44202) - Broken link? - [#​44203](quarkusio/quarkus#44203) - Make OidcRequestContextProperties modifiable - [#​44204](quarkusio/quarkus#44204) - Fix broken doc links - [#​44207](quarkusio/quarkus#44207) - Bump bouncycastle.version from 1.78.1 to 1.79 - [#​44209](quarkusio/quarkus#44209) - Bump io.quarkus.develocity:quarkus-project-develocity-extension from 1.1.6 to 1.1.7 - [#​44221](quarkusio/quarkus#44221) - Add extension description for websockets next - [#​44227](quarkusio/quarkus#44227) - Add stork-configuration-generator as an annotationProcessorPath - [#​44229](quarkusio/quarkus#44229) - ContainerResponseFilter with `@Priority(Integer.MIN_VALUE)` will be actually invoked with max priority - [#​44232](quarkusio/quarkus#44232) - Quartz: use a more reasonable default for quarkus.quartz.thread-count - [#​44235](quarkusio/quarkus#44235) - 3.16: `@WithTestResource` starts all test resources (regression) - [#​44237](quarkusio/quarkus#44237) - Properly implement priority of ContainerResponseFilter - [#​44238](quarkusio/quarkus#44238) - Refactor SecurityTransformerUtils to consider repeated annotations - [#​44239](quarkusio/quarkus#44239) - Replace oidc auth facebook screenshots with generic ones - [#​44244](quarkusio/quarkus#44244) - Bump `quarkiverse-parent` to 18 - [#​44245](quarkusio/quarkus#44245) - Delete disabled job - [#​44248](quarkusio/quarkus#44248) - Ignore client interfaces when detecting duplicate endpoints - [#​44263](quarkusio/quarkus#44263) - Quarkus Dev UI - Clicking on gRPC - Services - service implementation class Uncaught exception received by Vert.x - [#​44277](quarkusio/quarkus#44277) - Dev UI Open in IDE make sure lineNumber is in quotes - [#​44279](quarkusio/quarkus#44279) - Limit `MATCHING_RESOURCES` TestResources to the test that declares them - [#​44281](quarkusio/quarkus#44281) - Included pages within a fragment ignores rendered=false property. - [#​44298](quarkusio/quarkus#44298) - Qute: fix rendered=false if a fragment includes nested fragment - [#​44300](quarkusio/quarkus#44300) - When testing request payload is populated with string "null" if enable-reflection-free-serializers enabled - [#​44309](quarkusio/quarkus#44309) - Avoid deserializing null nodes in reflection free Jackson serialization - [#​44316](quarkusio/quarkus#44316) - Duplicated field serialization using the generated reflection free Jackson serializers - [#​44317](quarkusio/quarkus#44317) - Avoid duplicated field serialization in reflection free Jackson serializers - [#​44321](quarkusio/quarkus#44321) - Use Java 21 by default in the Deploying to Google Cloud guide - [#​44322](quarkusio/quarkus#44322) - Explain in MongoDB docs that records are supported - [#​44324](quarkusio/quarkus#44324) - Take config annotation when trying to match test resources </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Is there a chance this will get backported to 3.15? |
@vmuzikar I added the label. |
This PR introduces a way to determine if a trusted proxy has forwarded a request behind a proxy. It implements a custom header (
X-Forwarded-Trusted-Proxy
) that allows request processing to verify the presence of this header, indicating the request originated from a trusted source.To prevent forgery, any incoming request containing this custom header has it removed before further processing.
CC @shawkins