-
-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
integrate proxy-addr #281
Comments
need to make a PR with https://github.com/expressjs/proxy-addr. i'm not 100% sure what's going on here, but at least it'll match express |
waiting until @dougwilson redos |
@jonathanong I'll try to get something today, time pending :) From the title of this, are you intending to use it to do hop counting instead of whitelisting? |
opened this during the discussion before, I'm cool with doing whatever we end up doing in express, might as well keep them similar |
Thanks @visionmedia :) Express allows for both. I'm basically working to rip out all those accessors for express into a module to use cross-project (req.secure, req.protocol, req.ip, req.ips, req.host). It can be implemented easily in |
sweet! even if we have: req = new Forwarded(req);
req.ip
req.ips
req.secure
req.protocol it would be easy to wrap up so we're not directly manipulating |
Yea, I saw that too and it is nice that there is something official now :) I was thinking of adding it, but adding support for it right now is a security risk, because no proxies are filtering out |
@dougwilson what do you think about integrating this now? |
@dougwilson or are you still planning to release a |
|
👍 |
Hi, we noticed an issue when there are potentially multiple proxies and app.proxy = true. We occasionally end up with private IP addresses in the logs. I think the situation can happen in this example:
in this scenereo, 10.1.1.1 is returned in this.ip instead of 1.1.1.1 Maybe we also could use another option called "app.filterPrivateIps = true" which will actually filter out any RFC1918 ips from this.ips. indutny's "ip" module has an .isPrivate() method that may be helpful. |
Oh cool, it looks like proxy-addr actually may solve the exact issue I described above. |
o i c. proxy-addr doesn't do as much as i thoguht it would in its current form. right now, the benefit is minimal.
|
Just as a note, I found this in one of my logs even though I don't have ipv6 enabled on the server. Seems like some strange proxy setting headers in a funny way. The IP address at the end is my own public ip (though i've changed it to something random and invalid for anonymity). ::ffff:267.211.128.66 |
Altenatively, maybe could have something like an array of trusted headers by priority... app.trustedProxyHeaders = ['X-Real-IP', 'X-Forwaded-For'] and then the app.ips() method could use that. I'm going to configure HAProxy to set the X-Real-IP, but I was hoping for a simple way for me to configure all my koa apps to pick it up. ALl my koa apps sit behind haproxy. |
FYI for anybody interested: resumed progress on jshttp/forwarded/pull/1 any assistance is welcome, whether in the form of review, feedback, contribution, or simply cheering :) |
…zation is added (ref: <koajs/koa#281>)
…zation is added (ref: <koajs/koa#281>)
re: expressjs/expressjs.com#152 (comment)
or whatever we decide is the way to go in those discussions
https://github.com/expressjs/proxy-addr/
The text was updated successfully, but these errors were encountered: