-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only trust direct proxy in the trusted downstream #2579
base: master
Are you sure you want to change the base?
Only trust direct proxy in the trusted downstream #2579
Conversation
It seams unittest failure is not relative to this MR. |
looks correct to me |
get xheader info from an untrusted proxy. User must add direct proxy ip address to trusted downstream. ``` user1 ----------> real-proxy ----------> server untrusted-proxy --x--^ ^ `-------------x------------| ```
code style is fixed now. |
This breaks backwards compatibility in a couple of ways. First, it's valid to specify Second, I'm not sure it's compatible with the existing uses of
In this case What we really need is a more sophisticated way of configuring the |
Ah, right, users who set (And looks like I forgot to have my nginx configs also remove |
Yes, I agree with you. this patch attempt resolve ** which remote ips can send xheader** with a non proper way. Feel free to close this MR. By the way, are there any plan to design a new xheader system? |
Only trust direct proxy in the trusted downstream to avoid get xheader info from an untrusted proxy.
User must add direct proxy ip address to trusted downstream.
This may be a break change, but more security.