-
-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS and mod_remoteip #149
base: master
Are you sure you want to change the base?
Conversation
Trust HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_PORT even if not coming from trusted proxy. It's not security problem like directly parsing HTTP_X_FORWARDED_FOR. This fixes HTTPS in proxy server setups with enabled mod_remoteip.
55b5376
to
45e2638
Compare
c2bbf57
to
db54e1c
Compare
26f846b
to
4be7cde
Compare
8fd7f28
to
51a304f
Compare
You can spam application with shitload of errors if app breaks with an incompatible url. In worst case would be e.g. possible send user an email with url of attacker website. |
You can always mark all proxies as trusted with |
@kncsvk does this work for you: (https://doc.nette.org/cs/3.0/configuring#toc-http-proxy) http:
proxy: 0.0.0.0/0 |
0011929
to
ddf9e8e
Compare
da24b94
to
540335c
Compare
e7c7e2d
to
bf945f3
Compare
9a14e6e
to
a20fb8f
Compare
55488bd
to
2042d2e
Compare
4960652
to
5e67add
Compare
689f4ae
to
33aae19
Compare
09923de
to
02ae846
Compare
I have web server setup with HTTP proxy and Apache web server with module mod_remoteip (This mod replace REMOTE_ADDR to real client IP instead of proxy IP).
HTTP works as expected but with HTTPS I have these problems:
With router:
$router[] = new Route('<presenter>/<action>[/<id>]', 'Dashboard:default');
Result URL was
https://example.com:80/
With router:
$router[] = new Route('https://%host%/<presenter>/<action>[/<id>]', 'Dashboard:default');
Result in browser was redirect loop (
ERR_TOO_MANY_REDIRECTS
)I searched in code and found that HTTP_X_FORWARDED* headers are ignored if they din't come from trusted proxy. After bypassing this check for HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_PORT router works again as expected.
I don't see any security problem if these two variables didn't come from trusted proxy.