Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4074

Limit X-Forwarded-For header to "trusted" proxies

    XMLWordPrintable

    Details

    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Complete or Committed

      Description

      This ticket was created based on this PR from Tom Desair:

      https://github.com/DSpace/DSpace/pull/2207

      When using useProxies = true, DSpace always trusted the X-Forwarded-For header regardless of the source. This would allow clients that manually set a X-Forwarded-For header value to spoof an IP address. This PR introduces a list of trusted known proxies. DSpace will only use the {{X-Forwarded-For}}value if the request originates from a trusted proxy (range).

      In DSpace 7, when Angular developers run the Angular Universal server on their local machine and use an external REST API (e.g. the public DSpace 7 REST API), this currently leads to issues when doing a browser refresh while authenticated (see PR for more details).

      Since DSpace 7 will always have an Angular Universal proxy server, I've changed the default value of useProxies to true. I've also preconfigured the list of trusted proxies to be 127.0.0.1 since most instance will run on a single machine. I've added comments explaining what needs to be changed when running the Angular UI on a different server.

        Attachments

          Activity

            People

            • Assignee:
              tom.desair Tom Desair
              Reporter:
              tdonohue Tim Donohue
              Reviewer:
              Tim Donohue
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: