Why can't proxy-address-forwarding be always enabled (and enabled by default) ?

[Olivier Masseau]

Hello,

I've never really understand why proxy-address-forwarding is not enabled by default.

Is there any use case where enabling it would be a problem ?

I've done several tests and even when we are not behind a proxy having  proxy-address-forwarding=true is not problematic and everything works fine.

Wildfly does not care if no x-forwarded-* headers are present on the request even when it proxy-address-forwarding=true enabled and it does not generate any error.

So why not keep it always to true ?

Thanks a lot.

[Alexey Makhmutov]

Hi,

Well, one obvious answer is security. Processing of the 'x-forwarded-...' headers allows external client to spoof its real address in the HTTP log (or in some kind of application audit events), as the server API will return value specified by these headers instead of the real client address. The decision to enable a 'proxy-address-forwarding' attribute is a conscious and explicit statement by the server administrator, that all the untrusted client requests are expected to be handled by the proxy and that these 'x-forwarded-...' headers could be trusted.

This may be not an issue for a specific client configuration, but making this attribute enabled by default will decrease the overall server security level in the default configuration. I personally would be surprised to see it enabled by default.

Thanks,

Alexey

четверг, 8 июня 2023 г. в 21:23:35 UTC+3, Olivier Masseau:

[Olivier Masseau]

Thanks a lot Alexey.

It's now more clear for me.

--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/wHNH9AoCTCE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/f44048b2-50f7-45ee-9f39-5112e569cd92n%40googlegroups.com.