Sunday 13 December 2020

Caddy server, X-Forwarded-For and spoofed value

Using Caddy server and a reverse_proxy server like the following :

my.domain.com {
    reverse_proxy * unix//path/to/socket
}

I can easily access my request headers doing the following in Python/Flask:

request.headers.get('X-Forwarded-For')

Which returns a list of values, based on the request. The documentation stipulate that the first value is the client IP, which I rely on, but I recently discovered that this value can be spoofed, like the following:

# Using Python requests
requests.get('https://my.domain.com', headers={'X-Forwarded-For': 'www.google.com'})

In that case, the header value is :

X-Forwarded-For: www.google.com, xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx being, in that case, my valid IP).

My question: How can I retrieve, with certainty, the IP of the client, excluding any spoofing?

Details:

I tested for the following headers in Flask, which are all set to None using my above Caddy configuration:

Remote Addr: 0.0.0.0
X-Forwarded-For: www.google.com, xxx.xxx.xxx.xxx
Remote-Addr: None
Client-Ip: None
X-Forwarded: None
X-Cluster-Client-Ip: None
Forwarded-For: None
Forwarded: None

Thanks!



from Caddy server, X-Forwarded-For and spoofed value
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)