jshttp / proxy-addr Goto Github PK
View Code? Open in Web Editor NEWDetermine address of proxied request
License: MIT License
Determine address of proxied request
License: MIT License
Since 2014, RFC7239 has standardized the Forwarded:
header which allows chaining of multiple forwards in a more extensible way.
An example of this header being set when the origin request passes through only one reverse proxy might look like
Forwarded: for=12.34.56.78;host=example.com;proto=https
As far as I can tell (from proxy-addr
docs, and also attempting to use express-session
with this header and app.set('trust proxy', 'loopback')
, this is being ignored by proxy-addr
and therefore causing the Forwarded:
header to be unsupported by upstream middleware such as express-session
which relies on things being set in the request by proxy-addr
.
Hi!
When using an unix socket instead of a tcp port req.connection.remoteAddress
is undefined. And forwarded
adds that undefined value to the array of forwarded IPs (https://github.com/jshttp/proxy-addr/blob/master/index.js#L57). So given that undefined is not a valid ip https://github.com/jshttp/proxy-addr/blob/master/index.js#L254 returns false
for the index 0 and so no IP is trusted.
If are you willing to accept a PR to solve this issue, I can offer to write it: for example considering undefined the loopback address or adding an special option for that case.
Thanks!
Been using uniquelocal
as a trust proxy
for expressjs to ignore rfc1918 addresses that trusted proxies are deployed into to get to the true client up.
All had been working well with this until ipv4 ips started being prefixed with ::ffff:
e.g. ::ffff:10.2.3.4
. Some cursory research suggest that these are ipv6 mapped ipv4 ips when running in an ipv6 complaint network.
https://stackoverflow.com/questions/29411551/express-js-req-ip-is-returning-ffff127-0-0-1
Given that it would seem to make sense to include these in the built in sets of uniquelocal
, loopback
, and linklocal
var IP_RANGES = {
linklocal: ['169.254.0.0/16', '::ffff:169.254.0.0/16', 'fe80::/10'],
loopback: ['127.0.0.1/8', '::ffff:127.0.0.1/8', '::1/128'],
uniquelocal: ['10.0.0.0/8', '::ffff:10.0.0.0/8', '172.16.0.0/12', '::ffff:172.16.0.0/12', '192.168.0.0/16', '::ffff:192.168.0.0/16', 'fc00::/7']
}
Fixes breaking issue when undefined is passed through to the ipaddr
isValid
method as seen here:
Current latest version for ipaddr.js is 2.0.1
In this code is calling trust with two arguments:
Line 69 in 1cdd2f7
But if look on the returned function from compile()
-> compileTrust()
-> trustSingle/Multi()
, its just using one argument.
Line 307 in 1cdd2f7
My question is, what the second parameter is used for? is safe to ignore that?
I can create PR to remove that if needed.
Are you planning to add source port support to this module?
Source ports are necessary to uniquely identify users behind NATs and can be obtained from X-Forwarded-Port
and friends.
yo, looking at this, i'm a little confused. i'm not sure what's going on, and other people will probably be even more confused. it's very oriented towards implementors and not regular devs.
protocol([trust])(req) === 'https:'
, but doing that seems convoluted from looking at express's code. for example, https://github.com/visionmedia/express/blob/master/lib/utils.js#L242 should be in its own library or included here.I am trying to update express-ipfilter
Where the suggestion was to switch to proxy-addr to find proxied IPs.
We have some test for x-real-ip
and I assume users who rely on x-real-ip
that would be blocked from their blacklist if I were to release now.
I can, of course, fix it in express-ipfilter but I would prefer to fix it upstream
I have my configuration options in deeply frozen object, so I do not accidentaly modify them and use new ones somewhere else. When setting trust proxy
from that config object, proxy-addr
tries to modify it.
Versions I have are [email protected]
and [email protected]
. The fix might be to .slice()
it first:
var trust = trustArg.slice();
Relevant stacktrace frames:
<project>/node_modules/proxy-addr/index.js:106
trust.splice.apply(trust, [i, 1].concat(val));
^
TypeError: Cannot add/remove sealed array elements
at Array.splice (<anonymous>)
at Function.compile (<project>/node_modules/proxy-addr/index.js:106:18)
at exports.compileTrust (<project>/node_modules/express/lib/utils.js:250:20)
at Function.set (<project>/node_modules/express/lib/application.js:372:34)
< … omitted … >
Example doesn't work
const proxyAddr = require('proxy-addr');
proxyAddr.compile('localhost'); // throws error TypeError: invalid IP address: localhost
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.