You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Incoming HTTP requests may contain X-Forwarded-For header, sent by a client to bypass the client application IP restrictions or rate limiters and fake the client IP address. Currently, nginx-proxy trusts this header and passes it to the downstream.
I suggest introducing a TRUST_FORWARDED_HEADERS, which takes a comma-separated list of IP networks, that are trusted. X-Forwarded headers from these networks should be passed to the downstream only if the request address is trusted.
The text was updated successfully, but these errors were encountered:
You have upstream and downstream backwards: The client is downstream of the reverse proxy, and the backend server is upstream of the NGINX reverse proxy.
Incoming HTTP requests may contain
X-Forwarded-For
header, sent by a client to bypass the client application IP restrictions or rate limiters and fake the client IP address. Currently, nginx-proxy trusts this header and passes it to the downstream.This is a pretty serious flaw that requires a CVE registration, as it happened in other OpenSource projects: CVE-2020-28483 for go/gin, CVE-2020-35590 for WordPress, CVE-2020-13485 for CraftCMS.
The application developers usually specify trusted proxy server IP addresses explicitly and frameworks and proxies provide properties for this kind of configuration. For example, Symfony – PHP framework, Express – JS framework, Gin – Go framework, Traefik Proxy
I suggest introducing a
TRUST_FORWARDED_HEADERS
, which takes a comma-separated list of IP networks, that are trusted.X-Forwarded
headers from these networks should be passed to the downstream only if the request address is trusted.The text was updated successfully, but these errors were encountered: