Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

馃悰 Fiber will never start with big IP networks in config.TrustedProxies #1607

Closed
sadfun opened this issue Oct 30, 2021 · 1 comment 路 Fixed by #1614
Closed

馃悰 Fiber will never start with big IP networks in config.TrustedProxies #1607

sadfun opened this issue Oct 30, 2021 · 1 comment 路 Fixed by #1614

Comments

@sadfun
Copy link
Contributor

sadfun commented Oct 30, 2021

Fiber version
2.21.0

Issue description
Recently I asked for a feature: #1600. Next day it was implemented by #1602. Thanks, but I think this solution is very dangerous.

Let's see how current solution works:

// Iterates IP address which is between range
for ip := ip.Mask(ipnet.Mask); ipnet.Contains(ip); utils.IncrementIPRange(ip) {
    app.config.trustedProxiesMap[ip.String()] = struct{}{}
}

Actually, this solution just adds all IP adresses that networks contains in trustedProxiesMap, one by one.

Look at Cloudflare 鈥 most popular proxy for websites and, I think, the most popular case. What happens if we add all IPv4 Cloudflare networks to config.TrustedProxies? trustedProxiesMap will contain 1 786 880 IPs! Although it is extremely inefficient on memory, it can still be OK. But try to add at least one IPv6 Cloudflare IP network, and fiber will never finish adding IPs to trustedProxiesMap.

Spoiler If we add all Cloudflare IPv6 networks, fiber need to process 1 109 194 275 199 700 726 309 617 091 584 IPs.

Code snippet
Just add all cloudflare (or any other big) IP networks to config to reproduce.

Cloudflare networks
[]string{
	"103.21.244.0/22",
	"103.22.200.0/22",
	"103.31.4.0/22",
	"104.16.0.0/12",
	"108.162.192.0/18",
	"131.0.72.0/22",
	"141.101.64.0/18",
	"162.158.0.0/15",
	"172.64.0.0/13",
	"173.245.48.0/20",
	"188.114.96.0/20",
	"190.93.240.0/20",
	"197.234.240.0/22",
	"198.41.128.0/17",
	"2400:cb00::/32",
	"2606:4700::/32",
	"2803:f800::/32",
	"2405:b500::/32",
	"2405:8100::/32",
	"2a06:98c0::/29",
	"2c0f:f248::/32",
}
@sadfun sadfun changed the title 馃悰 Fiber never start with big IP networks in trustedProxies 馃悰 Fiber never start with big IP networks in config.TrustedProxies Oct 30, 2021
@sadfun sadfun changed the title 馃悰 Fiber never start with big IP networks in config.TrustedProxies 馃悰 Fiber will never start with big IP networks in config.TrustedProxies Oct 30, 2021
@hi019 hi019 self-assigned this Nov 1, 2021
@hi019 hi019 removed their assignment Nov 26, 2021
@hi019
Copy link
Member

hi019 commented Nov 26, 2021

I've been busy recently so my work on #1614 has stagnated. I'll finish it in the next few days, but someone else is welcome to fix this too.

ReneWerner87 added a commit that referenced this issue Dec 31, 2021
* Fix using IP ranges in config.TrustedProxies (#1607)

* Add tests

* Remove debugging var

* Remove tests

* Update test

Co-authored-by: RW <rene@gofiber.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants