Block mode for @waline/vercel

[Mister-Hope]

I am trying to find out a solution with #785. And here is my possible solution:

1. Add a TRACKIP env variable and default to false.
2. add blockedIPS in options
3. Edit code to make the console prints all th ips in X-Forwarded-For header and the remote addr when TRACKIP has values, and also stores theme in a local log file. (With also the api path like comment visitor)
4. edit the admin panel to let admin users be able to view the log on line. This should probaly come along with the native
5. Add a middleware beforeall services, if the request's X-Forwarded-For header or the send addr matches any of the blockedIPS, return 403 statuscode directly.

---

Reason

In most situations, the attackers should hold limited ips sending these request. (We are not facing large attacks like DDOS, if so , the user probably need a paid firewall).

The attacker's real ip should be one of the X-Forwarded-For ips or the connect ip. And when under high frequent attacks, it's easy to find his real ip. Users can block his ip by adding the nearest unchanged ip on right in X-Forwarded-For header. That should block the attackers.

More aggresively, we can also have a SECURE env variable, which will record all the ip in X-Forwarded-For header and block them with IPQPS, expect those in permitedIPS.

@lizheming @ihackerx

[lizheming]

All request headers can be faked by user, including X-Forwarded-For. Recording is unmeaning if it can't be trusted.

If you watch the server code, you'll find server just get user's ip from X-Forwarded-For header. https://github.com/koajs/koa/blob/master/lib/request.js#L421-L459

[Mister-Hope]

So if I am not misunderstanding, the test url is like stuation 4 where I mentioned above, while the proxy is actually doing the "by-pass" job, while simply reads "true-client-ip" and regard it as the real ip then added in the "x-forward-for" header, and hide the actually ip which connects it to the server side?

[Mister-Hope]

Shouldn't it be some issues of the "reverse proxy" configuation?

[Mister-Hope]

Update:

After speding some time reading the docs, here is my conclusion:

If it's vercel default behavior, then vercel is hiding the connect ip itself, and try to give "the real user ip". Probably with https://nginx.org/en/docs/http/ngx_http_realip_module.html

While the default behavior of nginx should be something like this, since $remote_addr should be the proxy ip (or the connection ip by default), req.connect.remoteAddress should be actual ip.

location / {
    proxy_pass       http://localhost:8000;
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
}

If so, that's true there is nothing we can do about it on vercel. But we should be able to block these requests on a self hold env.

[Mister-Hope]

cc @ihackerx

[lizheming]

In self host mode, we can set maxIpsCount to proxy server layers to get a real ip. https://koajs.com/#settings

const Waline = require('@waline/vercel');
const Application = new Waline({});
think.app.maxIpsCount = <number>;

module.exports = Application;