Where can I find a definition for the X-Forwarded-For HTTP header? Most sites refer to the Wikipedia site. Here the X-Forwarded-For format is described as X-Forwarded-For: client, proxy1, proxy2. I'm curious what valid strings for one entry can be. Are following examples valid entries?
192.0.2.60
192.0.2.60:58074
2001:db8:cafe::17
[2001:db8:cafe::17]:47011
"[2001:db8:cafe::17]:47011"
There is none as it is a non-standard header that cannot be found through the message header registry. So your examples are all valid if you decide them to be valid.
If you want to go by a standard, RFC 7239 is providing a standardized mechanism in place of X-Forwarded-For and X-Forwarded-Proto.
This has already been discussed here: What is a full specification of X-Forwarded-Proto HTTP header
You can also have a look at section 7.4 of rfc7239.
Related
I am currently working through the PortSwigger Academy LABs. There was one LAB where you had to alter the IP-address in order to bypass the log-in cool off. The solution was to add the X-Forwarded-For header and add a different IP-address every single try. I figured that I could use any value as IP-address, and I would not get any error. I am curious to know why that is possible. Is it the recipients fault, or does the X-Forwarded-For header simply does not care what kind of value you give it?
enter image description here
Good evening everyone,
I have developed a web app for our school that is loaded into a kiosk app on ChromeOS and Windows so that students can take digital tests and exams in a protected environment.
The web app also allows you to consult sources, these sources are links to, for example, a news site, wikipedia, you name it..
Unfortunately, many external links do not work because they are loaded into the web app via iFrame. And nowadays many websites do not allow this by passing this in the headers such as x-frame options.
I had hope at https://github.com/niutech/x-frame-bypass but unfortunately it no longer works.
I also come to the conclusion that a reverse proxy could offer a solution here, but I have no experience with this and research does not make it any easier for me. Or are there even better/other solutions?
As a test I was able to realize through the following that google.be can be loaded within an iFrame, however I encounter 2 problems that I hope I can find a solution for this way.
Issue 1: Images and CSS not loading
The content links to the proxy server, of course that content does not exist on the reverse proxy server.
Issue 2: Every teacher can create exams/tests with their own external sources, it is impossible to add all those external URLS to the reverse proxy every time
That's why I thought of getting the url for the proxy_pass from the url of the reverse proxy url.
Reverse proxy url: http://sitekiosk.xyz/bypass/google.be
google.be gets used in the proxy_pass
Reverse proxy url: http://sitekiosk.xyz/bypass/wikipedia.be
wikipedia.be gets used in the proxy_pass
And so on...
location /bypass {
proxy_set_header Host www.google.be;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://google.be/;
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL";
}
Is this technically possible? Can someone help me with this?
Thank you in advance for taking the time to go through this!
My apologies for my Google Translate English :-)
I am using Spring HATEOAS in my web application. My application runs behind a Nginx webserver. I am sending following url with HTTPS header
GET https://national.usa.com/testapp-rest/api/user/654rtrtet-5grt-fgsdf-dfgs-765ytrtsdhshfgsh/newAuthentication
Status Code:200 OK
Response Headersview sourceAccess-Control-Allow-Headers:x-requested-with, Accept, Content-Type, Origin, Authorization, X-Auth-Token
Access-Control-Allow-Methods:POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin:*
Access-Control-Expose-Headers:X-Auth-Token
Access-Control-Max-Age:3600
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-aliveContent-Type:application/json
Pragma:No-cacheServer:XXX/1.6.0
Strict-Transport-Security:max-age=31536000
Transfer-Encoding:chunkedRequest Headers
view sourceAccept:application/json, text/plain, */*Accept-Encoding:gzip, deflate, sdch
But when I see response headers, I see HATEOAS links are only returning HTTP. how to fixed this issue? Please guide.
"links: [{rel: "self",…}]0: {rel: "self",…}href: "http://national.usa.com
/testapp-rest/api/user/5435fdsg-45gfdgag-rewtdf43434-43543fsd "rel
Edit: Yes I using following code to create links
resource.add(ControllerLinkBuilder.linkTo(ControllerLinkBuilder.methodOn(TestController.class).getStudentResponse(response.getStudentId())).withSelfRel());
As you mentioned in the comments your application runs behind a webserver. In this case Nginx.
You are using some sort of
linkTo(methodOn(MyController.class).myMethod(name)).withSelfRel());
to generate links. In this case take a look at ControllerLinkBuilder. As you can see in line 190 Spring HATEOAS builds a link based on the current request.
In addition, request header X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Ssl are queried and used if available.
That is what you missed to configure in order to build proper links with Spring HATEOAS.
Because you complain that only https is missing in your links, Nginx already sets X-Forwarded-For but skips X-Forwarded-Proto. I assume that Nginx and your application communicate over http otherwise you wouldn't have trouble.
You can ignore X-Forwarded-Ssl. It is only relevant if Nginx and your application talking over https. In that case you wouldn't see any issue either.
Below you find a complete Nginx location block for reference. X-Forwarded-Proto has been set to https in order to inform the proxied system that links have to contain https in any URLs (only if backend system processes aforedmetnioned request header).
location /yourapp {
proxy_pass http://localhost:8080/yourapp;
proxy_redirect default;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
For further reading please consult Nginx documentation for the http_proxy_module.
You deploy Web application (in my case Java EE + Spring MVC, but I think it doesn't have matter what web-stack is used) and hide it behind HTTP proxy or load balancer.
Proxy/balancer software can fix HTTP headers. This is not question.
But application itself put links into generated HTML:
...
...
Proxy/balancer can use different $HOST:$PORT or $CONTEXT part. In case of Java EE with JSP this piece of code fix this issue:
<c:url value="$PATH">
${pageContext.request.contextPath}/$PATH
I want to know how Web framework gets knowledge about user requested $HOST:$PORT/$CONTEXT so it can be rendered in HTML?
Is this info extracted from:
http://en.wikipedia.org/wiki/X-Forwarded-For
non-standard de-facto tag? It look like:
X-Forwarded-For: client, proxy1, proxy2, ..., proxyN
so web framework extract second argument (which is proxy1 in my example, or host IP if N == 0) to provide to you $HOST:$PORT/$CONTEXT?
This is going to be dependent on your particular proxy or load balancer. X-Forwarded-For is very common, but it usually only tells you about the IP address of the original request.
In AWS you can use three headers to construct more of the original URL:
X-Forwarded-For
X-Forwarded-Proto
X-Forwarded-Port
Apache uses these and you can configure other custom headers with additional data:
X-Forwarded-For - The IP address of the client.
X-Forwarded-Host - The original host requested by the client in the Host HTTP request header.
X-Forwarded-Server - The hostname of the proxy server.
In Azure, these headers are available:
x-original-host
x-original-path
Bottom line is that there is no standard way of re-constructing the original URL. You will have to use the documentation of whatever proxy you are using. Some data may be missing. In some cases you may be able to configure the proxy to send missing data in custom headers.
Which headers should a proxy send? There seems 2 different headers for forwarding the original host. X-Forwarded-Host and X-Host. Which of this both headers should a proxy send? Or both headers?
X-Forwarded-Host with the caveat that this is not a well defined standard.
Definitely X-Forwarded-For. It's what Squid, mod_proxy, et al. use