net/http/httputil: add support for X-Forwarded-Proto, X-Forwarded-Host and an option to not trust forwarded headers in ReverseProxy #36678
Conversation
googlebot
added
the
cla: yes
|
This PR (HEAD: 8648d02) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/215637 to see it. Tip: You can toggle comments from me using the |
ReverseProxy automatically sets the X-Forwarded-For header, if the request already contains a X-Forwarded-For header, the value of the client IP is appended to the existing header value. This behavior isn't documented anywhere, and can lead to IP spoofing security issues is the client is untrusted (the most common situation). This PR documents this behavior. For future versions, I proposed #36678 that implements a more secure default behavior and adds support for other forwarded headers. Change-Id: Ief14f5063caebfccb87714f54cffa927c714e5fd GitHub-Last-Rev: fd0bd29 GitHub-Pull-Request: #36672 Reviewed-on: https://go-review.googlesource.com/c/go/+/215617 Reviewed-by: Brad Fitzpatrick <[email protected]>
|
This PR (HEAD: c0b06fb) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/215637 to see it. Tip: You can toggle comments from me using the |
|
Can this be a documentation update, maybe with an example of httputil.ReverseProxy.Director function handling headers in question, instead of a backwards-incompatible change? Note that even if this change is accepted, at least some ReverseProxy users would need to support pre-change and post-change Go versions, which adds maintenance overhead. |
|
@artyom Regarding Regarding setting |
|
This PR (HEAD: a4f0f3e) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/215637 to see it. Tip: You can toggle comments from me using the |
|
@artyom I just pushed a new patch containing a backward compatible implementation. WDYT about this one? |
|
This PR (HEAD: 64fd62d) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/215637 to see it. Tip: You can toggle comments from me using the |
| @@ -244,6 +259,17 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { | |||
| outreq.Header.Set("Upgrade", reqUpType) | |||
| } | |||
|
|
|||
| if p.OverwriteForwardedHeaders { | |||
| proto := "https" | |||
| if req.TLS == nil { | |||
There was a problem hiding this comment.
Not sure about this. req.TLS is only set when the current http server is handling the TLS. But if TLS is done by a load balancer in front of this server, it will say http, how can the backend know if it was an https request originally?
There was a problem hiding this comment.
Then you'll have to handle this manually. If the TLS termination is handled by a non-HTTP server, the proxy cannot guess it. If it is handled by an HTTP server, then this server should set the Forwarded headers.
|
This PR (HEAD: 44b8b3d) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/215637 to see it. Tip: You can toggle comments from me using the |
…t and an option to not trust forwarded headers in ReverseProxy
|
Message from Kévin Dunglas: Patch Set 6: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
|
Message from Ian Lance Taylor: Patch Set 6: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
|
Message from Kévin Dunglas: Patch Set 6: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
|
Message from Damien Neil: Patch Set 6: (5 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
|
Message from Kévin Dunglas: Patch Set 6: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
|
This PR (HEAD: aa0ff79) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/215637 to see it. Tip: You can toggle comments from me using the |
|
Message from Kévin Dunglas: Patch Set 7: (3 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
|
Message from Damien Neil: Patch Set 7: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/215637. |
In addition to X-Forwarded-For, which is already supported but undocumented
(#36672), this patch adds support for the X-Forwarded-Proto (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)
and X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host)
headers in ReverseProxy.
It also introduces a new option, ReverseProxy.TrustForwardedHeaders
that must be explicitly set to true to trust forwarded headers coming from
the client or previous proxies.
Setting these headers is a standard behavior expected from reverse
proxies, especially when X-Forwarded-For is set (which is already the
case).
The new ReverseProxy.TrustForwardedHeaders option fixes a potential
common security issue in user land code. It forces the user to explicitly
opt-in to trust reverse proxies in front of the Go application using
ReverseProxy.
The current behavior of blindly trusting the X-Forwarded-For header
provided by the client is very dangerous.
For instance, because of the current (undocumented) behavior, the Vulcain
gateway server (https://vulcain.rocks) was sensible to a potential security
issue.
If this flag is not set to true, previous values set by the client or
untrusted proxies will be discarded (replaced by the values computed
by ReverseProxy).
Technically, this is a BC break, but, in my opinion, it is a necessary one
to improve the security of the whole Go ecosystem using this module.
Edit: added a backward compatible implementation, see #36678 (comment)