Project

General

Profile

Feature #2860

RFE: mod_extforward CIDR support

Added by glen 8 months ago. Updated 6 months ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
mod_extforward
Target version:
Start date:
2018-01-31
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

lighttpd does not support adding whole networks as extforwarder.

tried variants:

$HTTP["remoteip"] == "192.168.24.0/24" {
    extforward.forwarder = ( "all" => "trust" )
}
extforward.forwarder = (
    "192.168.24.0" => "trust",
)
extforward.forwarder = (
    "192.168.24.0/24" => "trust",
)

the second problem (or part of the problem) is that chained trust (no longer?) works:

$HTTP["remoteip"] == "192.168.24.0/24" {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("X-Real-IP","X-Forwarded-For")
}

For this additional row must be added to haproxy:

http-request set-header X-Real-IP %[src]

the problem was that there were multiple IP-s in the x-forwarded-for header and it seems lighty was able to trust only one of internal ip.

if the lighttpd is reached via multiple trusted proxies, those need all be trusted and X-Forwarded-For walked until first untrusted ip is found.

Associated revisions

Revision fc7edb39 (diff)
Added by gstrauss 7 months ago

[mod_extforward] CIDR support for trusted proxies (fixes #2860)

x-ref:
"RFE: mod_extforward CIDR support"
https://redmine.lighttpd.net/issues/2860

Revision 78e25f0f (diff)
Added by gstrauss 6 months ago

[mod_extforward] allow explict IPs to be untrusted (#2860)

Allowing explicit IPs to be rejected might be useful in situations
where an internal network is to be allowed by CIDR mask, but there are
a small number of untrusted hosts on the network, e.g. hosts behind a
NAT to which some external ports are forwarded.

CIDR masks must be marked "trust", or else are ignored with a warning.

x-ref:
"RFE: mod_extforward CIDR support"
https://redmine.lighttpd.net/issues/2860

History

#1

Updated by gstrauss 8 months ago

  • Subject changed from missing proper extforward cidr support to RFE: mod_extforward CIDR support
  • Priority changed from Normal to Low

No, mod_extforward does not have CIDR support.

mod_extforward has support for haproxy PROXY protocol.
See #2804 and Docs_ModExtForward extforward.hap-PROXY and extforward.hap-PROXY-ssl-client-verify

#2

Updated by glen 8 months ago

gstrauss wrote:

No, mod_extforward does not have CIDR support.

mod_extforward has support for haproxy PROXY protocol.
See #2804 and Docs_ModExtForward extforward.hap-PROXY and extforward.hap-PROXY-ssl-client-verify

sadly that does not satisfy me, because i have varnish as lighttpd upstream for http connections and varnish+haproxy for https connections. so lighttpd is contacted via varnish only

also, even when using haproxy PROXY, the extforward.forwarder still doesn't support CIDR:

Also, note that when extforward.hap-PROXY = "enable", mod_extforward will process HAProxy PROXY protocol requests only for trusted proxies configured in extforward.forwarder.

#3

Updated by gstrauss 7 months ago

Alternative: configure lighttpd mod_extforward to trust all IPs, and configure the firewall on the lighttpd server to allow inbound connections only from the subnet with your varnish servers.

#4

Updated by gstrauss 7 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.49
#5

Updated by gstrauss 7 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
#6

Updated by glen 6 months ago

i have considered alternative, but it's insecure to trust all addresses from proxy headers in case of value chaining, because client may also send such header.

it would work if all entry notes (varnish, haproxy) clear the X-Forwarded-For header, so it would be filled by internal servers only.

#7

Updated by gstrauss 6 months ago

Allowing a CIDR range in lighttpd mod_extforward is similar to allowing a CIDR range in your firewall on the server(s) running lighttpd and configuring lighttpd to trust "all" connecting IPs. Configuring mod_extforward to trust "all" is only allowed for the connecting IP, not IPs in X-Forwarded-For, as noted in the top of mod_extforward.c:

 *       In case you have chained proxies, you can add all their IP's to the
 *       config. However "all" has effect only on connecting IP, as the
 *       X-Forwarded-For header can not be trusted.

glen, didn't you write the original extension to mod_extforward to support chained proxies in #1528, including the above comment?

#8

Updated by gstrauss 6 months ago

it would work if all entry notes (varnish, haproxy) clear the X-Forwarded-For header, so it would be filled by internal servers only.

You should not configure lighttpd to trust any remote webservers, explicitly by IP or by subnet, if the remote webserver is not configured to always set X-Forwarded-For and/or Forwarded headers properly, depending on how lighttpd mod_extforward is configured.

Also available in: Atom