Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the new trustedproxy logic from client ip parsing #2809

Open
montanaflynn opened this issue Aug 4, 2021 · 15 comments
Open

Remove the new trustedproxy logic from client ip parsing #2809

montanaflynn opened this issue Aug 4, 2021 · 15 comments

Comments

@montanaflynn
Copy link

Description

We really need a way to disable this and go back to the original logic of trusting proxies. My stuff is behind cloudfront, I trust their proxies but don't have a list of all the IP addresses. Now I don't get the real client IPs. This broke a lot of our downstream logs and analytics.

How about a simple bool to go back to original logic?

DisableTrustedProxyChecking: false

Related: #2697 #2723 #2791

@zihengCat
Copy link
Contributor

zihengCat commented Aug 12, 2021

@montanaflynn
Just set TrustedProxies to nil using new SetTrustedProxies API in Gin 1.7.3 version :)

engine.SetTrustedProxies(nil)

@montanaflynn
Copy link
Author

That method doesn't exist in Gin 1.7.3 version.

@zihengCat
Copy link
Contributor

Oh, Gin 1.7.3 doesn't bundle the latest master codes.

@zihengCat
Copy link
Contributor

Set TrustedProxies to nil manually before running the application.

engine := gin.Default()
engine.TrustedProxies = nil
// ...
engine.Run(":8080")

@montanaflynn
Copy link
Author

I'm not using engine.Run so that won't work either.

Here's an example, this is very common, please also see #2697

package main

import (
	"fmt"
	"log"
	"net/http"

	"github.com/gin-gonic/gin"
)

func main() {
	router := gin.New()
	fmt.Println(gin.Version)

	server := &http.Server{
		Addr:    ":8080",
		Handler: router,
	}

	router.GET("/", func(c *gin.Context) {
		c.String(200, c.ClientIP())
	})

	err := server.ListenAndServe()
	if err != nil {
		log.Fatal(err)
	}
}

@duaneking
Copy link

IMHO The TrustedProxy logic should honestly be turned off by default; there is not a good reason I can think of - feel free to provide your own and explain it to change my mind if you like - to turn it on by default in an unconfigured and non-functional state, and the speed difference after turning it off is noticeable in my tests enough that turning it off looks like something that can actually save you money on FaaS environment deploys.

@dominictobias
Copy link

dominictobias commented Mar 3, 2023

This isn't a great experience as the warning happens from the demo code in the README and the link in the warning redirects to the readme without any specific info

[GIN-debug] [WARNING] Creating an Engine instance with the Logger and Recovery middleware already attached.

[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:	export GIN_MODE=release
 - using code:	gin.SetMode(gin.ReleaseMode)

[GIN-debug] GET    /ping                     --> main.main.func1 (3 handlers)
[GIN-debug] [WARNING] You trusted all proxies, this is NOT safe. We recommend you to set a value.
Please check https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies for details.

@koalazub
Copy link

Hey, I wanted to know if there's been an update on this as of late?

I'm aware of how to disable when using Run(), but is there a way outside of this solution?

@swarajkumarsingh
Copy link

The perfect solution 💕

Issue: Gin by default does not allow all requests to access the server for security reasons

Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk.

To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router

Solution in code:

r := gin.Default()
r.ForwardedByClientIP = true
r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})

In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment.

Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.

@uranderu
Copy link

The perfect solution 💕

Issue: Gin by default does not allow all requests to access the server for security reasons

Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk.

To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router

Solution in code:

r := gin.Default()
r.ForwardedByClientIP = true
r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})

In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment.

Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.

I'm sorry but this is not the perfect solution. I think many of us handle this kind of security somewhere else. And even if you do not I think @duaneking makes some excellent points why this standard behaviour should be changed.

@duaneking
Copy link

duaneking commented Oct 12, 2023

As somebody with professional experience in cyber security, I can totally understand the desire to be able to limit to a close set of trusted IP ranges.

The problem here is that this "feature" makes security actively worse, while it creates additional costs for the business.

Setting nil to turn it off should be the default. Then, when people are doing deployment, they can enable it as they need to.

The fact that a system can run without this feature turned on perfectly fine, faster, in a fully secure way, shows that this feature is simply dead code bloat for most people.

I think it's really happening here is that this feature was added because of a social situation not because of an engineering requirement; I would like to formally request that this feature be turned off by default, simply because it's hosting specific, and I feel it's unfair for everybody not using those hosting platforms that require this for it to be enabled by default as I would consider it to be a bug.

@swarajkumarsingh
Copy link

The perfect solution 💕

Issue: Gin by default does not allow all requests to access the server for security reasons
Solution: If you are using the Golang Gin framework and receiving the warning “you trusted all proxies this is not safe. we recommend you to set a value”, it means that your application is currently configured to trust all incoming proxy requests, which can be a security risk.
To fix this issue, you should update your Gin configuration to specify the IP addresses or networks of trusted proxy servers. This can be done by setting the TrustedProxies property in your Gin router
Solution in code:

r := gin.Default()
r.ForwardedByClientIP = true
r.SetTrustedProxies([]string{"127.0.0.1", "192.168.1.2", "10.0.0.0/8"})

In the example above, we are specifying two trusted proxy server IP addresses (192.168.1.2 and any IP address within the 10.0.0.0/8 network). You should replace these values with the appropriate IP addresses or network ranges for your own environment.
Once you have updated your Gin configuration, you should no longer see the warning message, and your application will be more secure against potential proxy-based attacks.

I'm sorry but this is not the perfect solution. I think many of us handle this kind of security somewhere else. And even if you do not I think @duaneking makes some excellent points why this standard behaviour should be changed.

Yeah, I understand the point, but the solution is just to remove DEBUG print by gin, of course, you can set it to 0.0.0.0 for public access and alter it in the nginx ... or whatever service/tech stack you are using. 😉

@uranderu
Copy link

uranderu commented Oct 12, 2023 via email

@twocs
Copy link

twocs commented Oct 18, 2023

The link is now broken, i.e. there's no readme info corresponding to:
https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies

@Leinadium
Copy link

Leinadium commented Oct 19, 2023

The link is now broken, i.e. there's no readme info corresponding to: https://pkg.go.dev/github.com/gin-gonic/gin#readme-don-t-trust-all-proxies

It was apparently moved from the readme.md file to a docs/doc.md file at #3449

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants