Security: Kong allows remote clients to forge remote IP

[kylegato]

Summary

We use a Layer 3 load balancer (relayD) to route requests to Kong. Currently with the way kong is setup, the default nginx LUA template includes the following entry:

set_real_ip_from 0.0.0.0/0;

Per the NGINX Documentation: http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from

Defines trusted addresses that are known to send correct replacement addresses. If the special value unix: is specified, all UNIX-domain sockets will be trusted.

It would probably be more ideal if we could supply range(s) of trusted internal IPs instead in the kong configuration, which would be inserted into the LUA config automatically.

Here is a full example:

Command:
kyle$ curl -H "X-Real-IP: 222.222.222.222" -H "X-Forwarded-For: 222.222.222.222" -X GET https://api.kong.qa/kyle

Log Entry on Kong Server:
222.222.222.222 - - [20/Sep/2016:12:34:04 -0700] "GET /kyle HTTP/1.1" 404 249 "-" "curl/7.43.0"

Steps To Reproduce

1. curl -H "X-Real-IP: 222.222.222.222" -H "X-Forwarded-For: 222.222.222.222" -X GET https://YOUR_KONG_INSTANCE_OR_LOAD_BALANCER
2. Check your access log files (/usr/local/kong/logs/access.log)

Additional Details & Logs

• Kong version 0.9.1
• Operating System CentOS Linux release 7.2.1511 (Core) - Kernel: 3.10.0-327.28.2.el7.x86_64

[thibaultcha]

Note: somehow related to #1615 (asking for a better configurable behavior of the ngx_http_realip module.

[kylegato]

@thibaultcha I submitted a PR ^

[thibaultcha]

Moved to #2202. Thanks!