-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for trusted proxy headers #504
Comments
We have |
Not sure if this explanation is answering the issue about trusting easily spoofed headers. H3 should provide a small util function to only get the trusted values, similar to https://github.com/symfony/http-foundation/blob/6.3/Request.php#L783 It would then be on frameworks to allow configuring the trusted proxies and on modules to use that config. Nitro is a good candidate for this, as most of the providers are handling these headers. Did you want me to make a seperate issue there? |
I am up to supporting a special event context property such as |
Yes, I'm not concerned about users' usage, but about any integration code relying on these headers to work. Consider this as an example: Nitro implements an in-built rate limiter, to effectively rate limit we need to know the trusted IP of the request. Nitro has no current way to know if it can trust the connecting IP, generically. This is because the x-forwarded-for header can easily be spoofed on some servers without proxies that use it. Now blow this example up to Nuxt modules and all the other ways we need to know trusted IPs then you should have a better understanding of the problem. The solution requires multiple layers to solve, but as a starting point, we could introduce a way to filter for trusted headers similar to https://github.com/symfony/http-foundation/blob/6.3/Request.php#L2004. Maybe this issue is better solved completely at a nitro level though |
Thanks for explaining your use cases. I think it makes sense to introduce a standard context flag down the line from h3 directly so that the ecosystem (nitro, nuxt, nuxt modules) can rely on it to see either they can trust + h3 itself to optimize it's behavior when proxy is trusted to use the header for default What I am not sure about and hesitated, is the logic to detect if we can trust proxy being directly in h3. it might be in nitro because nitro is provider aware and can include logic for this. same as symfony which is more a full-featured framework. h3 is too way low-end for this. What i suggest is to:
I am still up to support any idea that can be on h3 level, platform agnostic and surely secure as we promise the function is! |
I really like this discussion :) I like the Lines 50 to 62 in 588c8a3
I don't know in term of performance if this will have an impact or not |
@harlan-zw Would that make sense if Then it would be Nuxt/Nitro/Modules responsibility to set Doing that way might make it easier for adoption. |
Seems like a good way to do it 👍 |
Hey guys, great inititative! Leaving here an issue that was created some time ago in the NuxtSecurity repo that could be useful here as well -> nuxt-modules/security#83 I will update nuxt-modules/security#196 once this will be merged |
Describe the feature
As a module author, for maximum compatibility, it makes life easier to just use the proxy headers and fallback to node specifics. The issue is that these won't be safe in all environments and can be spoofed (i.e
x-forwarded-for
)To solve this we need a simple implementation that:
I think combining 1 and 2 may be difficult but maybe you have some ideas on that. As a simple first implementation a
getRequestTrustedHeaders(event, trustedProxies)
may be enough.Inspo: https://laravel.com/docs/master/requests#configuring-trusted-proxies
Additional information
The text was updated successfully, but these errors were encountered: