You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If no IP is appended to the X-Forwarded-For header at all, the user can spoof their IP address to the rate limiter just by creating an X-Forwarded-For header of their own (effectively bypassing the limiter, or DoSing any IP address they like)
This will become more common as load-balancers move to RFC 7239 (Forwarded) headers, which aren't supported at all
It doesn't support configuration of trusted proxies (those that the determination of IP address should "look through")
etc.
I'd suggest that the default case in the getOrElse (L12) block should just be request.remoteAddress:
It can't be spoofed by the user, providing a much safer default
Which means it gives us RFC 7239 support "for free" too
I'm guessing play.http.forwarded.trustedProxies might not have existed when this code was conceived, but either way, request.remoteAddress is definitely all that needs to be considered now.
The text was updated successfully, but these errors were encountered:
you're totally right. I wasn't aware that I can achieve the current behaviour with request.remoteAddress by trusting all proxies. Would you like to submit a pull request?
Currently, the last IP address in the
X-Forwarded-For
header is used by default as the originating IP address for the request:play-guard/module/app/com/digitaltangible/playguard/package.scala
Lines 12 to 19 in 1c4146c
There's quite a few problems with this approach:
X-Forwarded-For
header at all, the user can spoof their IP address to the rate limiter just by creating anX-Forwarded-For
header of their own (effectively bypassing the limiter, or DoSing any IP address they like)Forwarded
) headers, which aren't supported at allI'd suggest that the default case in the
getOrElse
(L12) block should just berequest.remoteAddress
:play.http.forwarded.trustedProxies
settingI'm guessing
play.http.forwarded.trustedProxies
might not have existed when this code was conceived, but either way,request.remoteAddress
is definitely all that needs to be considered now.The text was updated successfully, but these errors were encountered: