Prevent X-Forwareded-For header passing from untrusted upstreams

[SilverFire]

Incoming HTTP requests may contain X-Forwarded-For header, sent by a client to bypass the client application IP restrictions or rate limiters and fake the client IP address. Currently, nginx-proxy trusts this header and passes it to the downstream.

This is a pretty serious flaw that requires a CVE registration, as it happened in other OpenSource projects: CVE-2020-28483 for go/gin, CVE-2020-35590 for WordPress, CVE-2020-13485 for CraftCMS.

The application developers usually specify trusted proxy server IP addresses explicitly and frameworks and proxies provide properties for this kind of configuration. For example, Symfony – PHP framework, Express – JS framework, Gin – Go framework, Traefik Proxy

I suggest introducing a TRUST_FORWARDED_HEADERS, which takes a comma-separated list of IP networks, that are trusted. X-Forwarded headers from these networks should be passed to the downstream only if the request address is trusted.

[SilverFire]

Discussion has started in #1927

[rhansen]

You have upstream and downstream backwards: The client is downstream of the reverse proxy, and the backend server is upstream of the NGINX reverse proxy.

[SilverFire]

Never thought about it this way, and it depends, as I see https://stackoverflow.com/a/32365658

If you prefer calling them vise-versa in this project – let me know, I'm OK with that.

[rhansen]

I think it's important to be consistent with NGINX, and NGINX uses "upstream" to refer to the backend server.