Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: DoH in reverse proxy: Accept HTTP Header for indicating real client (address) #8661

Closed
krombel opened this issue Dec 30, 2019 · 1 comment · Fixed by #8945
Closed

Comments

@krombel
Copy link
Contributor

krombel commented Dec 30, 2019

  • Program: dnsdist
  • Issue type: Feature request

Short description

Allow passing X-Forwarded-For or X-Real-IP when using DoH behind reverse proxy

Usecase

there are some cases where you want dnsdist to know the correct IP of the requesting party. Might it be the output of topClients() which just has 127.0.0.1 as top Client when doing reverse proxying or when you want to add rules which track or block access from a dedicated subnet (e.g. addAction({'1.2.3.0/24'}, NoneAction()) to monitor access from specific subnets)

Description

For now there is no possibility to make dnsdist see the correct IP when reverse proxying.

I had a short look where it might be appropriate to evaluate such header and came to this positions:

  • doh.cc: doh_handler()
    • This would be even before evaluating ACL match which might not do what you want in case you want limit acl to 127.0.0.1 but allow requests from everywhere through reverse proxy
  • doh.cc: doh_dispatch_query()
  • doh.cc: processDOHQuery()
    • This is the last point where we are in a DoH-only environment. After that point it is handled as "general dns query" internally.

I don't know how configs are/should be passed there but I think that might help as a starting point.

While chatting in #powerdns 2 possible modes where mentioned:

  • add and ACL for IPs which are allowed to add such header (in case you just have one listener for all DoH queries)
  • have a dedicated listener with a 'trust this header' config which evaluates the header if available.

As I will use a dedicated listener which is listening on a "private" IP with encryption disabled disabled I would go for the second approach. I need no ACL power on that listener.

@zeha zeha changed the title dnsdist: DoH in reverse proxy: Accept HTTP Header for indicating real origin dnsdist: DoH in reverse proxy: Accept HTTP Header for indicating real client (address) Dec 30, 2019
@zeha
Copy link
Collaborator

zeha commented Dec 30, 2019

Updated title because "Origin" has a different meaning in HTTP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants