Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Make HttpCache behaves more like a real reverse proxy #7034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Make HttpCache behaves more like a real reverse proxy #7034

wants to merge 2 commits into from

Conversation

fabpot
Copy link
Member

@fabpot fabpot commented Feb 9, 2013

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #6982, #7000
License MIT
Doc PR n/a

@fabpot fabpot mentioned this pull request Feb 9, 2013
Closed
@bendavies
Copy link
Contributor

Awesome, thanks Fabien. should this not target 2.0/2.1?

bamarni
bamarni reviewed Feb 10, 2013
View reviewed changes
src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php
@@ -72,6 +72,9 @@ class HttpCache implements HttpKernelInterface, TerminableInterface
* This setting is overridden by the stale-if-error HTTP Cache-Control extension
* (see RFC 5861).
*
* * forwarded_for Specifies whether the client's IP address in the HTTP requests the cache forwards
* should be appended to the X-Forwarded-For header (default: true).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces a security vulnerability as any client can now fake any IP by populating this header, imo you should just remove this option and always overwrite X_Forwarded_For with REMOTE_ADDR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, one can argue can you can only trust the proxy if the forwarded_for option is set to true (which is the default). If you turn off this option, then, the proxy cannot be trusted anymore, so theere is no security issue if everything is configured as it should be. As setting this option to false is probably not a common case, I'm going to remove this option.

@fabpot
Copy link
Member Author

fabpot commented Feb 11, 2013

@bendavies Indeed, I'm going to merge it to the 2.1 branch

fabpot added a commit that referenced this pull request Feb 11, 2013
@fabpot
merged branch fabpot/ip-cache (PR #7034)
22e997a 
This PR was submitted for the 2.2 branch but it was merged into the 2.1 branch instead (closes #7034).

Commits
-------

1fdded5 [HttpKernel] added support for the X-Forwarded-For header (closes #6982, closes #7000)
be65d7c [HttpKernel] fixed the IP address in HttpCache when calling the backend

Discussion
----------

Make HttpCache behaves more like a real reverse proxy

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #6982, #7000
| License       | MIT
| Doc PR        | n/a

---------------------------------------------------------------------------

by bendavies at 2013-02-10T00:55:29Z

Awesome, thanks Fabien. should this not target 2.0/2.1?
@fabpot fabpot closed this Feb 11, 2013
@slider
Copy link

slider commented Sep 20, 2013

Is there a specific reason why 127.0.01 is not on the trusted Proxy list by default?

@leofeyer
Copy link
Contributor

leofeyer commented Oct 6, 2016

@fabpot Shouldn't you be adding the port number here if it is not 80 or 443?

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Encoding: gzip, deflate
Accept-Language: de,en;q=0.9
Connection: Keep-Alive
Device-Stock-Ua: Mozilla/5.0 (Linux; Android 4.4.2; BLOOM Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Forwarded: for="10.10.10.10:34161"
Host: www.example.com"
User-Agent: Opera/9.80 (Android; Opera Mini/18.0.2254/37.8814; U; de) Presto/2.12.423 Version/12.16
X-Forwarded-For: 10.10.10.10
X-Operamini-Features: httpping, advanced, pingback, routing, file_system, camera, touch, viewport, folding, download
X-Operamini-Phone: Android #
X-Operamini-Phone-Ua: Mozilla/5.0 (Linux; Android 4.4.2; BLOOM Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36"

As you see, the Forwarded header has the port number (10.10.10.10:34161) whereas the X-Forwarded-For header does not. This will lead to a ConflictingHeadersException.

@leofeyer leofeyer mentioned this pull request Oct 6, 2016
Closed
@xabbuh
Copy link
Member

xabbuh commented Oct 6, 2016

@leofeyer Please open a new issue if you think that you found a bug.

@leofeyer
Copy link
Contributor

leofeyer commented Oct 6, 2016

Will do as soon as I know for sure that it is a bug. 😄

@MAXakaWIZARD
Copy link
Contributor

@leofeyer There's normalizeAndFilterClientIps call here, which removes port numbers from all IPs: https://github.com/symfony/http-foundation/blob/2.8/Request.php#L830

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@fabpot @bendavies @slider @leofeyer @xabbuh @MAXakaWIZARD @bamarni