https://bz.apache.org/bugzilla/show_bug.cgi?id=57830
--- Comment #24 from Tim <perry2...@yahoo.com> --- I just re-read the spec and I see that the Proxy Protocol header must be required on every request. I'm not convinced requiring the Proxy Protocol header on every request increases security, especially not in the narrow context of HTTP and HTTPS connections. As I understood the argument, requiring the header always be present would somehow prevent spoofing. I don't see any way it prevents a malicious actor from sending a request with a falsified header. I think the correct guard against malicious actors sending falsified headers is to limit the range of IP's that can send requests with the Proxy Protocol header. In the context of supporting Proxy Protocol in Tomcat, I wouldn't want an implementation unless it provided the ability to limit the allowed senders of the Proxy Protocol header with an allow list that specified either a list of allowed IP addresses or one or more CIDRs. It is probably better to support the spec as written, but I would support an 'optional' argument to autodetect presence of the Proxy Protocol header if it didn't meet fierce resistance from the Tomcat team and if it rejected requests with a Proxy Protocol header that did not come from an address in the allow list. I think logs should show both the "claimed" IP as well as the actual IP a request came from. This is the approach I've taken when processing X-Request-For headers; log both the source of tcp connectoin and the X-Request-For address so anybody investigating a breach can verify if the request actually came from an authorized load balancer. Lastly, I think the implementation should make the "claimed" IP and port from the Proxy Protocol header available in the X-Forwarded-For and X-Forwarded-Port headers when handing the request off to the Servlet. This would preserve the data necessary to log both the "claimed" ip and the actual IP. In the tomcat access log, I think the %a and %h flags should print both the actual source of the connection (e.g. load balancer), and the "claimed" IP and port. I'm not strongly invested in any of my positions I layed out here. I'm just trying to get a better handle on what sort of patch would be acceptable. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
