[Oisf-users] Suricata X-Forwarded For Question
Duarte Silva
duarte.silva at serializing.me
Tue Oct 28 20:17:03 UTC 2014
On Tuesday 28 October 2014 17:49:58 Peter Manev wrote:
> On Tue, Oct 28, 2014 at 3:32 PM, Kevin Ross <kevross33 at googlemail.com>
wrote:
> > Hi,
> >
> > I use X-Forwarded-For overwriting. I have new proxies though and before it
> > would be typically a single IP but now it is X-Forwarded-For: CLIENT_IP,
> > 127.0.0.1.
With those new proxies you are using, the vendor is actually implementing the
XFF specification correctly where the left-most value is the original client
and where each successive proxy that passed the request adds it's IP address
to the right.
In Suricata, the XFF code will use the last entry because it has been designed
to be used in a reverse proxy environment, meaning, in an environment where
you have a reverse proxy (Apache, F5, etc.), routing traffic to the internal web
servers where the last IP address of the XFF header is the actual IP from the
client that requested the page, image, etc.
This is so to avoid spoofing, the last IP is the one added by the reverse proxy
and the one that should be trusted.
One way I could see this being fixed is by adding a configuration option in
order for the XFF code to behave differently depending on the deployment,
allowing the user to choose.
Cheers,
Duarte
> >
> > I have no idea why this is the case it would add that in but basically
> > Suricata is taking the loopback as the overwrite address. Can I specify
> > which which one to use? If not I will need to disable this which I would
> > prefer not to until vendor responds :(
> >
> >
> > Thanks,
> > Kevin
>
> I am not sure I understand - could you give an example of a log entry
> or something ?
More information about the Oisf-users
mailing list