-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
3.9
-
None
-
MOODLE_39_STABLE
This is a followup of MDL-67861, where the handling of the X-Forwarded-For headers was improved to a better and safer alternative.
In that issue, a new setting $CFG->reverseproxyignore was added, allowing sites with multiple levels of reverse proxies / balancers to define which ones can be ignored from the header, strictly picking the first (rightmost) not in the list.
And that's good vs previous "always leftmost" alternative.
Irrespectively of that, along the issue, different approaches were commented, noticeable the a real implementation like https://github.com/un33k/django-ipware (shared by fred).
There are some techniques there, namely (and surely incomplete) like:
- Whitelisting/defining trustable proxies (external or internal, forward or reverse).
- Blacklisting private IPs.
- Look to more headers than just HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR and with a defined precedence order.
- Provide a way to count how many elements should be skipped
- Decide between rightmost / leftmost (that can be perfectly perfect in some environments (say corporate intranet or whatever).
So this issue is about to consider if some of those extra features detecting the source IPs are desirable and, if so, implement them (some/all) in a compatible way with current implementation.
Ciao
- will be (partly) resolved by
-
MDL-67871 Add security check for $CFG->getremoteaddrconf
- Open