Project

General

Profile

Actions

Feature #2860

closed

RFE: mod_extforward CIDR support

Added by glen almost 7 years ago. Updated over 6 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_extforward
Target version:
ASK QUESTIONS IN Forums:

Description

lighttpd does not support adding whole networks as extforwarder.

tried variants:

$HTTP["remoteip"] == "192.168.24.0/24" {
    extforward.forwarder = ( "all" => "trust" )
}
extforward.forwarder = (
    "192.168.24.0" => "trust",
)
extforward.forwarder = (
    "192.168.24.0/24" => "trust",
)

the second problem (or part of the problem) is that chained trust (no longer?) works:

$HTTP["remoteip"] == "192.168.24.0/24" {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("X-Real-IP","X-Forwarded-For")
}

For this additional row must be added to haproxy:

http-request set-header X-Real-IP %[src]

the problem was that there were multiple IP-s in the x-forwarded-for header and it seems lighty was able to trust only one of internal ip.

if the lighttpd is reached via multiple trusted proxies, those need all be trusted and X-Forwarded-For walked until first untrusted ip is found.

Actions #1

Updated by gstrauss almost 7 years ago

  • Subject changed from missing proper extforward cidr support to RFE: mod_extforward CIDR support
  • Priority changed from Normal to Low

No, mod_extforward does not have CIDR support.

mod_extforward has support for haproxy PROXY protocol.
See #2804 and Docs_ModExtForward extforward.hap-PROXY and extforward.hap-PROXY-ssl-client-verify

Actions #2

Updated by glen almost 7 years ago

gstrauss wrote:

No, mod_extforward does not have CIDR support.

mod_extforward has support for haproxy PROXY protocol.
See #2804 and Docs_ModExtForward extforward.hap-PROXY and extforward.hap-PROXY-ssl-client-verify

sadly that does not satisfy me, because i have varnish as lighttpd upstream for http connections and varnish+haproxy for https connections. so lighttpd is contacted via varnish only

also, even when using haproxy PROXY, the extforward.forwarder still doesn't support CIDR:

Also, note that when extforward.hap-PROXY = "enable", mod_extforward will process HAProxy PROXY protocol requests only for trusted proxies configured in extforward.forwarder.

Actions #3

Updated by gstrauss over 6 years ago

Alternative: configure lighttpd mod_extforward to trust all IPs, and configure the firewall on the lighttpd server to allow inbound connections only from the subnet with your varnish servers.

Actions #4

Updated by gstrauss over 6 years ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.49
Actions #5

Updated by gstrauss over 6 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions #6

Updated by glen over 6 years ago

i have considered alternative, but it's insecure to trust all addresses from proxy headers in case of value chaining, because client may also send such header.

it would work if all entry notes (varnish, haproxy) clear the X-Forwarded-For header, so it would be filled by internal servers only.

Actions #7

Updated by gstrauss over 6 years ago

Allowing a CIDR range in lighttpd mod_extforward is similar to allowing a CIDR range in your firewall on the server(s) running lighttpd and configuring lighttpd to trust "all" connecting IPs. Configuring mod_extforward to trust "all" is only allowed for the connecting IP, not IPs in X-Forwarded-For, as noted in the top of mod_extforward.c:

 *       In case you have chained proxies, you can add all their IP's to the
 *       config. However "all" has effect only on connecting IP, as the
 *       X-Forwarded-For header can not be trusted.

@glen, didn't you write the original extension to mod_extforward to support chained proxies in #1528, including the above comment?

Actions #8

Updated by gstrauss over 6 years ago

it would work if all entry notes (varnish, haproxy) clear the X-Forwarded-For header, so it would be filled by internal servers only.

You should not configure lighttpd to trust any remote webservers, explicitly by IP or by subnet, if the remote webserver is not configured to always set X-Forwarded-For and/or Forwarded headers properly, depending on how lighttpd mod_extforward is configured.

Actions

Also available in: Atom