-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reactor Netty does not support X-Forwarded-* request headers #10900
Comments
As discussed with @mbhave @rstoyanchev @wilkinsona @rwinch This probably happens when a proxy terminates the SSL connection and uses This issue should be about how we should deal with those cases in Spring Boot WebFlux applications (with all supported servers). |
If we're going down the route of using our own filter, we should consider #5677 again as there'd certainly be some benefit in a consistent approach across the WebFlux and Servlet worlds. I know @rwinch would still like to see us do that. On the other hand the existing support probably works with WebFlux on top of Tomcat, Undertow, and Jetty so something that's Reactor Netty-specific would be another option. |
I've asked for an enhancement on the Reactor Netty project as this feature probably belongs in the server codebase itself anyway. See reactor/reactor-netty#220. In the meantime, this can be partially solved for other servers by implementing it in |
@bclozel same thing, this issue is blocked by a |
@snicoll I've provided a PR for that, scheduled for 0.8. |
Have we come to a conclusion about using |
There is one extra concern to consider. While This is one reason why the One, it would be useful to have some sort of Something to consider in this discussion. |
Thanks @rstoyanchev , I've created #11525 to track that enhancement. We probably won't be using the
We've decided to use reactor-netty's support as soon as it's merged by the team. |
I hope the boot team will reconsider. Inconsistency with how X-Forwarded is supported is one of the largest issues I come across in support of Boot + Security. It has been the source of plenty of CVEs and switching to
Boot has made quite a few breaking changes in 2.0, so I don't think this provides a good reason. Especially since users can easily revert to the previous behavior using
The
We have not had any issues with this. However, it should be easily resolved by adjusting the dispatch types properly.
True. However, containers do not support all the features of the I'm guessing by using a consistent mechanism Boot would be able to delete quite a bit of app server specific code. Users would get a more consistent experience. In many cases they would get more features (if there are features missing that are important, please log an issue). As @rstoyanchev pointed out they would be more secure as well. |
#11525 answers my concern. As for the overall question of using the filter or not, I do agree and see the point that Boot is in a position to handle forwarded headers more efficiently at the server level. It's arguably justified even if it means a bit of extra code. However that should not come at the expense of any potential for CVEs.
@rwinch can you provide a little more detail? This is a crucial point IMO and needs more elaboration. |
Can you elaborate on how this is more efficient?
There are inconsistencies in the fact that Tomcat does not support X-Forwarded-Host but other application servers do. I have seen this where an application was verified to be secure on Tomcat and then it was later ran on Jetty where the Another issue is Tomcat is the only container that provides validation of proxies. This validation provides little value since under most circumstances if you can forge an |
Unfortunately, it's more than that. A key difference is that, when using the native option, Undertow configures an internal object (its exchange type, IIRC) based on the headers. The filter loses that functionality. I haven't reviewed Undertow's code to see precisely how the configuration on the exchange is used, but losing the functionality makes me nervous as it must be there for a reason. I wouldn't want someone to be lulled into a false sense of security as they assumed Undertow was using the native header functionality and would be behaving as Undertow can reasonably be expected to behave in such a situation.
I think this argument cuts both ways as there are two types of consistency: consistency across containers and consistency with how users expect a particular container to behave. Which you consider to be more important is subjective, but we're choosing between consistency with two different things rather than consistency vs inconsistency. For other functionality where it can be done natively vs in a filter (response compression, for example), we've opted to configure it at the container level. That has served us well thus far as users have welcomed things working exactly as they'd expect for a particular container. |
No description provided.
The text was updated successfully, but these errors were encountered: