[Oisf-users] Suricata X-Forwarded For Question

Kevin Ross kevross33 at googlemail.com
Wed Oct 29 08:48:25 UTC 2014


Hi,

Just to remove confusion the 127.0.0.1 is not an example; it really is in
there. Seems internally the proxy vendor is using 2 processes and so
internally within the box you have an upstream proxy and Suricata is taking
the 127.0.0.1 address as the one to use. So what the header ends up like is
X-Forwarded-For: IP, 127.0.0.1



On 28 October 2014 20:17, Duarte Silva <duarte.silva at serializing.me> wrote:

> On Tuesday 28 October 2014 17:49:58 Peter Manev wrote:
> > On Tue, Oct 28, 2014 at 3:32 PM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
> > > Hi,
> > >
> > > I use X-Forwarded-For overwriting. I have new proxies though and
> before it
> > > would be typically a single IP but now it is X-Forwarded-For:
> CLIENT_IP,
> > > 127.0.0.1.
>
> With those new proxies you are using, the vendor is actually implementing
> the
> XFF specification correctly where the left-most value is the original
> client
> and where each successive proxy that passed the request adds it's IP
> address
> to the right.
>
> In Suricata, the XFF code will use the last entry because it has been
> designed
> to be used in a reverse proxy environment, meaning, in an environment where
> you have a reverse proxy (Apache, F5, etc.), routing traffic to the
> internal web
> servers where the last IP address of the XFF header is the actual IP from
> the
> client that requested the page, image, etc.
>
> This is so to avoid spoofing, the last IP is the one added by the reverse
> proxy
> and the one that should be trusted.
>
> One way I could see this being fixed is by adding a configuration option in
> order for the XFF code to behave differently depending on the deployment,
> allowing the user to choose.
>
> Cheers,
> Duarte
>
> > >
> > > I have no idea why this is the case it would add that in but basically
> > > Suricata is taking the loopback as the overwrite address. Can I specify
> > > which which one to use? If not I will need to disable this which I
> would
> > > prefer not to until vendor responds :(
> > >
> > >
> > > Thanks,
> > > Kevin
> >
> > I am not sure I understand - could you give an example of a log entry
> > or something ?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141029/eacb6380/attachment-0005.html>


More information about the Oisf-users mailing list