Skip to content

Commit

Permalink
Remove X-Forwarded-(Uri, Method, Tls-Client-Cert and Tls-Client-Cert-…
Browse files Browse the repository at this point in the history 
…Info) from untrusted IP
  • Loading branch information
@stffabi @traefiker
stffabi authored and traefiker committed Jul 8, 2019
1 parent 0ee5d3d commit cc4258b
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 27 deletions.
24 changes: 16 additions & 8 deletions pkg/middlewares/forwardedheaders/forwarded_header.go
View file
Expand Up @@ -10,14 +10,18 @@ import (
)

const (
xForwardedProto = "X-Forwarded-Proto"
xForwardedFor = "X-Forwarded-For"
xForwardedHost = "X-Forwarded-Host"
xForwardedPort = "X-Forwarded-Port"
xForwardedServer = "X-Forwarded-Server"
xRealIP = "X-Real-Ip"
connection = "Connection"
upgrade = "Upgrade"
xForwardedProto = "X-Forwarded-Proto"
xForwardedFor = "X-Forwarded-For"
xForwardedHost = "X-Forwarded-Host"
xForwardedPort = "X-Forwarded-Port"
xForwardedServer = "X-Forwarded-Server"
xForwardedURI = "X-Forwarded-Uri"
xForwardedMethod = "X-Forwarded-Method"
xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"
xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info"
xRealIP = "X-Real-Ip"
connection = "Connection"
upgrade = "Upgrade"
)

var xHeaders = []string{
Expand All @@ -26,6 +30,10 @@ var xHeaders = []string{
xForwardedHost,
xForwardedPort,
xForwardedServer,
xForwardedURI,
xForwardedMethod,
xForwardedTLSClientCert,
xForwardedTLSClientCertInfo,
xRealIP,
}

Expand Down
90 changes: 71 additions & 19 deletions pkg/middlewares/forwardedheaders/forwarded_header_test.go
View file
Expand Up @@ -28,79 +28,131 @@ func TestServeHTTP(t *testing.T) {
remoteAddr: "",
incomingHeaders: map[string]string{},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
"X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
},
},
{
desc: "insecure true with incoming X-Forwarded-For",
desc: "insecure true with incoming X-Forwarded headers",
insecure: true,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
},
{
desc: "insecure false with incoming X-Forwarded-For",
desc: "insecure false with incoming X-Forwarded headers",
insecure: false,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
"X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips",
insecure: false,
trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.100:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips",
insecure: false,
trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
"X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
desc: "insecure false with incoming X-Forwarded headers and valid Trusted Ips CIDR",
insecure: false,
trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "1.2.3.156:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
desc: "insecure false with incoming X-Forwarded headers and invalid Trusted Ips CIDR",
insecure: false,
trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
"X-Forwarded-Uri": "/bar",
"X-Forwarded-Method": "GET",
"X-Forwarded-Tls-Client-Cert": "Cert",
"X-Forwarded-Tls-Client-Cert-Info": "CertInfo",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
"X-Forwarded-for": "",
"X-Forwarded-Uri": "",
"X-Forwarded-Method": "",
"X-Forwarded-Tls-Client-Cert": "",
"X-Forwarded-Tls-Client-Cert-Info": "",
},
},
{
Expand Down

0 comments on commit cc4258b

Please sign in to comment.