Skip to content

Add possibility to handle proxy info differently depending on upstream IP#11

Merged
pires merged 7 commits into
pires:masterfrom
mikey179:proxy_handling_policy
Feb 13, 2020
Merged

Add possibility to handle proxy info differently depending on upstream IP#11
pires merged 7 commits into
pires:masterfrom
mikey179:proxy_handling_policy

Conversation

@mikey179

@mikey179 mikey179 commented Aug 28, 2019

Copy link
Copy Markdown

This introduces the possibility to decide on each new incoming connection whether the proxy header should be used, ignored, or the connection be rejected. It also allows to reject the connection when a proxy header is required but not send at all.

Without such a possibility usage of this library is prone to security attacks enabling simple faking of client IP addresses by accepting any proxy protocol header regardless of whether the upstream source is allowed to send one or not. The need for this is derived from our use case, where we have an application which accepts connections both through a proxy and direct (there's a reason for that). If we would allow the proxy header for direct connections it would allow clients to pretend they are from another IP address which we don't want.

While NewConn is part of the public API I decided to change it nevertheless as no official release or version of this library exists yet. In case you want to keep it as is I'd introduce another function NewConnWithPolicy instead where the caller can provide the policy, and fall back to the USE policy in NewConn.

@pires pires self-requested a review September 26, 2019 09:58
@pires pires self-assigned this Sep 26, 2019
@pires pires added this to the 2.0 milestone Sep 26, 2019
@pires

pires commented Sep 26, 2019

Copy link
Copy Markdown
Owner

I will take the weekend to look into this.

@pires pires force-pushed the master branch 2 times, most recently from e4eae17 to b6563d9 Compare November 30, 2019 14:57
@pires

pires commented Dec 1, 2019

Copy link
Copy Markdown
Owner

I like this idea a lot! Can you please rebase and fix conflicts?

I'm totally fine with merging and breaking the API since there's no release and people can simply rely on the commit of their choosing.
Actually, I just removed the timeout parameter since it wasn't even being used, so yeah.

…m ip

Without such a possibility usage of this library is prone to security attacks
enabling simple faking of client ip addresses by accepting any proxy protocol
header regardless of whether the upstream source is allowed to send one or not.

This introduces the possibility to decide on each new incoming connection
whether the proxy header should be used, ignored, or reject the connection. It
also allows to reject the connection when a proxy header is required but not
send.
@mikey179 mikey179 force-pushed the proxy_handling_policy branch from b2ca7a5 to fa756e1 Compare December 19, 2019 14:21
@mikey179

Copy link
Copy Markdown
Author

Rebased and fixed conflicts.

@pires pires mentioned this pull request Jan 8, 2020
@pires

pires commented Jan 8, 2020

Copy link
Copy Markdown
Owner

@mikey179 thank you very much! Sorry for the delay in coming back to you. Meanwhile, it seems folks from Hashicorp are interested in the functionality you are introducing (#16). Would be great to have both of you agreeing on the functionality and subsequent implementation before we merge. WDYT?

Comment thread policy.go
Comment thread policy.go
Comment thread protocol.go Outdated
Comment thread protocol.go
Comment thread protocol.go
@mikey179

Copy link
Copy Markdown
Author

I think I addressed all concerns raised so far, but in case I missed anything just ping me.

Comment thread policy.go Outdated
@jefferai

Copy link
Copy Markdown

Other than my suggestion around CIDRs I think this is looking good!

This introduces the possibility to use IP ranges next to IP adresses for the whitelists. To ensure the provided values are valid they are parsed, invalid IP ranges or IP addresses are rejected. However, this requires LaxWhiteListPolicy() and StrictWhiteListPolicy() to return an error in such cases. To cope with that, similar to other Must* functions in the standard library, two new functions MustLaxWhiteListPolicy() and MustStrictWhiteListPolicy() which panic instead are introduced.
@pires

pires commented Feb 11, 2020

Copy link
Copy Markdown
Owner

@jefferai can you please give it a last review?

@jefferai

Copy link
Copy Markdown

I think it looks good!

@pires pires left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for this contribution and for being so collaborative! <3

@pires pires merged commit 833e5d0 into pires:master Feb 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants