mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2026-03-04 00:01:12 -05:00
AGH accepts all XFF headers without restriction #2551
Labels
No labels
P1: Critical
P2: High
P3: Medium
P4: Low
UI
bug
cannot reproduce
compatibility
dependencies
docker
documentation
duplicate
enhancement
enhancement
external libs
feature request
good first issue
help wanted
infrastructure
invalid
localization
needs investigation
performance
potential-duplicate
question
recurrent
research
snap
waiting for data
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/AdGuardHome#2551
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ZeroClover on GitHub (Mar 10, 2021).
Originally assigned to: @EugeneOne1 on GitHub.
In #1220, AGH accepts some HTTP headers to get the visitor's raw IP.
However, the AGH does not restrict which IPs can send these headers, but accepts them from all IPs.
This means that when the AGH is deployed publicly and uses DoH, rate limiting may be completely useless. The AGH administrator will not be able to use the AGH's own functionality to block malicious users.
I constructed some malicious requests on my AGH server to illustrate the problem more clearly. Obviously, Cloudflare and Google could not have used my server as an upstream.
Screenshot:
I recommend that AGH add a separate configuration to allow users to set trusted IPs and trust the local loopback by default (127.0.0.1).
@SukkaW commented on GitHub (Mar 12, 2021):
@ainar-g
I am afraid it is not a feature request. It should be considered as a security issue.
AGH should implement a restriction to prevent "faking IP".
@ameshkov commented on GitHub (Mar 12, 2021):
The thing is that rate-limiting currently only works for UDP, it is a measure for mitigating DNS amplification attacks, and other protocols aren't used for that.
This issue does make Access settings useless, though. It's labeled as "enhancement" (which is not a feature request) since it adds functionality (trusted IPs list).
@EugeneOne1 commented on GitHub (Jul 26, 2021):
@ZeroClover, there is a new build in the edge channel available. It implements the trusted proxies feature. It's also documented in an appropriate wiki section. Could you please check if it works for you?
@EugeneOne1 commented on GitHub (Jul 30, 2021):
We'll close the issue for now. You're welcome to open the new issues in case of encounter those.