Hi,

 

I came across Djehuty recently and skimmed the code and documentation, when I noticed that while there is a way to configure the use of "X-Forwarded-For" header to get the client IP address, there is no configuration option for limiting the IP address(es) that are allowed to set this header. I believe allowing any source to set the header would allow spoofing the client IP. I haven't tried to confirm this behaviour or test if this makes e.g. 4TU.ResearchData vulnerable; I do know that I had to set an IP address (range) for Nextcloud and other applications to accept requests from.

 

Reading https://owasp.org/www-community/pages/attacks/ip_spoofing_via_http_headers , and understanding from the code that the header value is only used in logging, perhaps the risk is not very high.

 

I am not an expert on this specific topic, so perhaps it could suffice to make the reverse proxy itself strict (it should remove existing X-Forwarded-For headers before setting it) and configure the network to only allow web traffic from the reverse proxy. However, the documentation does not warn about the consequences of not taking precautions within or around the software when using a reverse proxy.

It looks like the example configuration in the documentation using nginx would overwrite any existing X-Forwarded-For header, which is probably good.

 

I hope you will consider risks associated with not preventing IP spoofing in the application.

 

Regards,

 

Ben Companjen