You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow passing X-Forwarded-For or X-Real-IP when using DoH behind reverse proxy
Usecase
there are some cases where you want dnsdist to know the correct IP of the requesting party. Might it be the output of topClients() which just has 127.0.0.1 as top Client when doing reverse proxying or when you want to add rules which track or block access from a dedicated subnet (e.g. addAction({'1.2.3.0/24'}, NoneAction()) to monitor access from specific subnets)
Description
For now there is no possibility to make dnsdist see the correct IP when reverse proxying.
I had a short look where it might be appropriate to evaluate such header and came to this positions:
This would be even before evaluating ACL match which might not do what you want in case you want limit acl to 127.0.0.1 but allow requests from everywhere through reverse proxy
This is the last point where we are in a DoH-only environment. After that point it is handled as "general dns query" internally.
I don't know how configs are/should be passed there but I think that might help as a starting point.
While chatting in #powerdns 2 possible modes where mentioned:
add and ACL for IPs which are allowed to add such header (in case you just have one listener for all DoH queries)
have a dedicated listener with a 'trust this header' config which evaluates the header if available.
As I will use a dedicated listener which is listening on a "private" IP with encryption disabled disabled I would go for the second approach. I need no ACL power on that listener.
The text was updated successfully, but these errors were encountered:
zeha
changed the title
dnsdist: DoH in reverse proxy: Accept HTTP Header for indicating real origin
dnsdist: DoH in reverse proxy: Accept HTTP Header for indicating real client (address)
Dec 30, 2019
Short description
Allow passing X-Forwarded-For or X-Real-IP when using DoH behind reverse proxy
Usecase
there are some cases where you want dnsdist to know the correct IP of the requesting party. Might it be the output of
topClients()
which just has127.0.0.1
as top Client when doing reverse proxying or when you want to add rules which track or block access from a dedicated subnet (e.g.addAction({'1.2.3.0/24'}, NoneAction())
to monitor access from specific subnets)Description
For now there is no possibility to make dnsdist see the correct IP when reverse proxying.
I had a short look where it might be appropriate to evaluate such header and came to this positions:
I don't know how configs are/should be passed there but I think that might help as a starting point.
While chatting in #powerdns 2 possible modes where mentioned:
As I will use a dedicated listener which is listening on a "private" IP with encryption disabled disabled I would go for the second approach. I need no ACL power on that listener.
The text was updated successfully, but these errors were encountered: