AGH accepts all XFF headers without restriction #2799
Comments
ZeroClover
changed the title
|
I am afraid it is not a feature request. It should be considered as a security issue. AGH should implement a restriction to prevent "faking IP". |
The thing is that rate-limiting currently only works for UDP, it is a measure for mitigating DNS amplification attacks, and other protocols aren't used for that. This issue does make Access settings useless, though. It's labeled as "enhancement" (which is not a feature request) since it adds functionality (trusted IPs list). |
ainar-g
added
the
external libs
Merge in DNS/dnsproxy from imp-xff to master Updates AdguardTeam/AdGuardHome#2799. Squashed commit of the following: commit aef68d4 Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Jul 23 16:30:09 2021 +0300 proxy: trim spaces commit bf36249 Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Jul 23 16:11:36 2021 +0300 proxy: fix logic commit f381fe2 Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Jul 22 19:56:25 2021 +0300 all: upd go version to 1.16 in specs commit 54b9fbd Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Jul 22 19:52:59 2021 +0300 all: upd go version to 1.16 for github commit a2cd74d Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Jul 22 19:47:10 2021 +0300 proxy: imp code commit a8ae14f Author: Eugene Burkov <e.burkov@adguard.com> Date: Thu Jul 22 16:35:03 2021 +0300 proxy: add trusted proxies
|
@ZeroClover, there is a new build in the edge channel available. It implements the trusted proxies feature. It's also documented in an appropriate wiki section. Could you please check if it works for you? |
|
We'll close the issue for now. You're welcome to open the new issues in case of encounter those. |
Updates AdguardTeam/AdGuardHome#2799. Squashed commit of the following: commit 874cf42 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Aug 2 14:43:10 2021 +0300 proxy: do not refuse reqs from untrusted proxies
Merge in DNS/adguard-home from 2799-trusted-proxy to master Updates AdguardTeam#2799. Squashed commit of the following: commit 708a06b Author: Eugene Burkov <e.burkov@adguard.com> Date: Fri Jul 23 18:56:16 2021 +0300 all: add trusted proxy mechanism
Updates AdguardTeam#2799. Squashed commit of the following: commit bc768fd Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Aug 2 15:00:10 2021 +0300 all: do not refuse reqs from untrusted proxies
In #1220, AGH accepts some HTTP headers to get the visitor's raw IP.
However, the AGH does not restrict which IPs can send these headers, but accepts them from all IPs.
This means that when the AGH is deployed publicly and uses DoH, rate limiting may be completely useless. The AGH administrator will not be able to use the AGH's own functionality to block malicious users.
I constructed some malicious requests on my AGH server to illustrate the problem more clearly. Obviously, Cloudflare and Google could not have used my server as an upstream.
Screenshot:
I recommend that AGH add a separate configuration to allow users to set trusted IPs and trust the local loopback by default (127.0.0.1).
The text was updated successfully, but these errors were encountered: