Тема: Проксі та X-Forwarded-For
Читаю зараз доки ось тут https://koajs.com/#introduction, і там є така інфа
request.ip
Request remote address. Supports X-Forwarded-For when app.proxy is true.request.ips
When X-Forwarded-For is present and app.proxy is enabled an array of these ips is returned, ordered from upstream -> downstream. When disabled an empty array is returned.For example if the value were "client, proxy1, proxy2", you would receive the array ["client", "proxy1", "proxy2"].
Most of the reverse proxy(nginx) set x-forwarded-for via proxy_add_x_forwarded_for, which poses a certain security risk. A malicious attacker can forge a client's ip address by forging a X-Forwarded-For request header. The request sent by the client has an X-Forwarded-For request header for 'forged'. After being forwarded by the reverse proxy, request.ips will be ['forged', 'client', 'proxy1', 'proxy2'].
Koa offers two options to avoid being bypassed.
If you can control the reverse proxy, you can avoid bypassing by adjusting the configuration, or use the app.proxyIpHeader provided by koa to avoid reading x-forwarded-for to get ips.
const app = new Koa({ proxy: true, proxyIpHeader: 'X-Real-IP', });
If you know exactly how many reverse proxies are in front of the server, you can avoid reading the user's forged request header by configuring app.maxIpsCount:
const app = new Koa({ proxy: true, maxIpsCount: 1, // only one proxy in front of the server }); // request.header['X-Forwarded-For'] === [ '127.0.0.1', '127.0.0.2' ]; // ctx.ips === [ '127.0.0.2' ];
В якому це випадку у нас є декілька IP на об'єкті request? Це якшо користувач юзає проксі, або декілька проксі, то тоді список IP цих проксі буде в масиві request.ips ? Таке взагалі буває?
Про те A malicious attacker can forge..., а шо це за атака, і в чому її суть?