-
-
Notifications
You must be signed in to change notification settings - Fork 31.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X-Forwarded-For support broken #4265
Comments
Looks like the lack of a proper test indeed caused us to ship broken functionality. After some extra thought, I actually think that doing auth based on a header that anyone can set (including a malicious user who can pretend to be a proxy) is a bad idea. So instead of fixing it I suggest we kill the feature. |
It's an opt in feature. Users should be entirely aware of the consequences of the opt in, but I don't think that we should remove this feature because of those consequences. |
Indeed exposing HASS directly to untrusted networks would allow spoofing the header and therefore the originating IP address, which is undesirable. In a reverse proxied setup however this feature is very valuable, which why I'd kindly ask not to throw the idea of it out. So a pull request fixing this should address:
|
OK that sounds good On Mon, Nov 7, 2016, 04:32 hexa- [email protected] wrote:
|
👍 |
This feature needs to be enabled through the `http.use_x_forwarded_for` option, satisfying security concerns of spoofed remote addresses in untrusted network environments. The testsuite was enhanced to explicitly test the functionality of the header. Fixes home-assistant#4265. Signed-off-by: Martin Weinelt <[email protected]>
This feature needs to be enabled through the `http.use_x_forwarded_for` option, satisfying security concerns of spoofed remote addresses in untrusted network environments. The testsuite was enhanced to explicitly test the functionality of the header. Fixes #4265. Signed-off-by: Martin Weinelt <[email protected]>
This feature needs to be enabled through the `http.use_x_forwarded_for` option, satisfying security concerns of spoofed remote addresses in untrusted network environments. The testsuite was enhanced to explicitly test the functionality of the header. Fixes #4265. Signed-off-by: Martin Weinelt <[email protected]>
This commit (519d9f2#diff-eb76e695595582bfd0beb58c113181b6R373) broke support for the
X-Forwarded-For
header that is necessary to pass the realremote_addr
in proxied setups.This happened because of the change to aiohttp and I assume you, @balloob, read aio-libs/aiohttp#642 (comment), but not aio-libs/aiohttp#642 (comment), which changes the behaviour of
get_real_ip
. As we are obviously missing a testcase that injects a properX-Forwarded-For
header and then validates it, this has gone unnoticed so far.Unfortunately there is no direct support for the
X-Forwarded-*
header family in aiohttp, see aio-libs/aiohttp#1134.Too tired right now, to research this further, but a new solution has to be found. Currently
peername
will always be('127.0.0.1', 43270)
(with rotating ports of course), not the realremote_addr
.The text was updated successfully, but these errors were encountered: