Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC 7239] Forwarded HTTP header & X-Real-IP #1350

Open
2 of 3 tasks
krizhanovsky opened this issue Sep 16, 2019 · 4 comments
Open
2 of 3 tasks

[RFC 7239] Forwarded HTTP header & X-Real-IP #1350

krizhanovsky opened this issue Sep 16, 2019 · 4 comments
Labels
enhancement
Milestone
1.2 - TBD

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Sep 16, 2019
edited
Loading

Scope

We support X-Forwarded-For header while RFC 7239 introduces standard Forwarded header which also must be parsed as special header. At least following arguments must be processed:

  • for as current X-Forwarded-For
  • host as current Host header and URI host part. Tempesta must correctly choose the right host header (e.g. for HTTPtables) if all the hosts (from URI and Host and Forwarded headers) are different.
  • X-Real-IP is another header passing real client IP (just checked that my home router and 3G network proxy set this header)

The host parameter is crucial to keep an application (e.g. using redirects) working, see https://github.com/fideloper/TrustedProxy#why-does-this-matter

Also need to implement an equivalent option to Nginx's set_real_ip_from, e.g.

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;

Probably the best way to store the IP addresses and netmasks is to use Htrie. A special index-only Htrie extension using very small data block, not extent as by default, must be developed. #910 requires data, but also needs static read-only HTrie with a very small data, so the #910 requirements must be addressed in the extension as well. The addresses should be converted to IPv6 form.

Testing

A functional test must be developed as part of the task. Examples from the RFC must be in the test. Also the test for choosing the right host header (e.g. for HTTPtables) if all the hosts (from URI and Host and Forwarded headers) are different is required. Also test malicious values like mysite “><xss>.
@krizhanovsky krizhanovsky mentioned this issue Sep 19, 2019
Open
@vankoven vankoven mentioned this issue May 5, 2020
Closed
@krizhanovsky krizhanovsky added the good to start Start form this tasks if you're new in Tempesta FW label Dec 4, 2021
@krizhanovsky krizhanovsky modified the milestones: 0.8 - TBD, 1.1 - TLS 1.3 Jan 3, 2022
@krizhanovsky krizhanovsky mentioned this issue Apr 17, 2022
Open
7 tasks
@const-t
Copy link
Contributor

const-t commented May 4, 2022

Hi, I currently working on this issue for my myself. I have almost done with first and second part. When I write tests I will PR. Can you assign it to me if you don't working on this task?

@krizhanovsky
Copy link
Contributor Author

Hi @const-t ,

I assigned the issue to you and we'll be happy to see a pull request from you!

const-t added a commit to const-t/tempesta that referenced this issue May 17, 2022
@const-t
Forwarded HTTP header tempesta-tech#1350
c58fa19 
What has been implemented:
 - Parsing of "Forwarded" header. "for=" parameter parsed, but
   not used now. Only xff continues to be used. Also "Forwarded"
   not modified when forwarding to backend.
 - Choosing the right host by using keyword "host" in HTTPTables.
   - Highest priority has "URI", then "Host" and "Forwarded"
 - Added tests for validity of parsing and choosing host.
const-t added a commit to const-t/tempesta that referenced this issue Jul 5, 2022
@const-t
Added Forwarded HTTP header parsing (tempesta-tech#1350)
26e1aeb 
What has been implemented:
 - Parsing of "Forwarded" header. "for=" parameter parsed, but
   not used now. Only xff continues to be used. Also "Forwarded"
   not modified when forwarding to backend.
 - Choosing the right host by using keyword "host" in HTTPTables.
   - Highest priority has "URI", then "Host" and "Forwarded"
 - Added tests for validity of parsing and choosing host.
 - Added matching host of forwarded by http_host_required.
const-t added a commit that referenced this issue Jul 5, 2022
@const-t
Merge pull request #1629 from const-t/ct-1350-forwarded-hdr
cf86049 
Added Forwarded HTTP header parsing (#1350)
@const-t
Copy link
Contributor

const-t commented Jul 5, 2022

Parsing of forwarded header has been implemented. Functional tests also has been added . Now, we need to introduce support of X-Real-IP. X-Real-IP requires functional tests too.

@krizhanovsky krizhanovsky changed the title [RFC 7239] Forwarded HTTP header [RFC 7239] Forwarded HTTP header & X-Real-IP Jul 5, 2022
This was referenced Sep 9, 2022
Open
Open
@krizhanovsky krizhanovsky removed the good to start Start form this tasks if you're new in Tempesta FW label Oct 23, 2022
@krizhanovsky krizhanovsky mentioned this issue May 22, 2023
Merged
@krizhanovsky
Copy link
Contributor Author

Also please see the TODO comment in #1994 and do it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
1.2 - TBD
Development

No branches or pull requests
4 participants
@krizhanovsky @avbelov23 @const-t @alegz-filomaphitskay