Hacker News new | ask | show | jobs
by knorker 323 days ago
1. Have (and maintain!) a list of addresses you trust to not lie (e.g. your own proxy layers, cloudflare's proxy IP list, akamai, GCP LB, AWS LB, etc…)

2. If the connecting party (real TCP connection remote end) is in the trusted list, then take the rightmost address in XFF and set as remote end.

3. Repeat 2 until you get an address not in the trusted list.

4. That is now the real client IP. Discard anything to the left of it in XFF. (though maybe log it, if you want)

The article seems to forget the step of checking the real TCP connection remote address (from my skimming), which means that if the web server can be accessed directly, and not just through a load balancer that always sets the header, then the article is a security hole.
2 comments
wutwutwat 309 days ago
If you're not coming from a proxy and hitting the app server directly, you'd use the connection info directly. Most servers and languages expose this as a variable called `REMOTE_ADDR`
link
knorker 308 days ago
Yes, this is step 2, the first iteration.
link
danhite 322 days ago
thank you for your comment :

> The article seems to forget the step of checking the real TCP connection remote address (from my skimming)

as this alerted me when reading the article to see their very important, but not highlighted, caveat emptor that covers this dangerous case :

  Note that this logic assumes that your server is not directly accessible. 
  If it is, you need to check the actual request source IP address is one of yours first - 
  effectively treating that as an extra right-most address.
link
knorker 322 days ago
Ah, so it does.

But when you make an assumption, you make an ass of u and mption. To have your webserver simply assume that anybody who manages to connect is trusted not a great plan.

There's a right way to do it (see my previous comment), so seems to me that one shouldn't do the wrong thing and hope that it's not a problem.

> the actual request source IP address is one of yours first

I guess this also confused me skimming. "One of yours". No, you check if it's coming from where it's supposed to be coming, I'd say. Or from the trusted list, as I'd call it.

link