Add an option to control the use of X-Forwarded-For header.

tinyproxy · vbelov42 · Mar 31, 2017 · Apr 1, 2017 · Mar 30, 2018 · Sep 27, 2018
commit 0fc9d1cd3938a1c63108a6585574eb709b183671
diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
@@ -246,6 +246,14 @@ AddHeader "X-My-Header" "Powered by Tinyproxy"
     enabling this option, you break compliance.
     Don't disable the `Via` header unless you know what you are doing...
 
+*DisableXffHeader*::
+
+    The 'X-Forwarded-For' header isn't required by the HTTP RFC,
+    but is a common method for identifying the originating IP address
+    of a client connecting to a web server through an HTTP proxy or
+    load balancer. Though, using this is a security concern.
+    So turn this off only for demand.
+
 *Filter*::
 
     Tinyproxy supports filtering of web sites based on URLs or

diff --git a/etc/tinyproxy.conf.in b/etc/tinyproxy.conf.in
@@ -233,6 +233,15 @@ ViaProxyName "tinyproxy"
 #
 #DisableViaHeader Yes
 
+#
+# DisableXffHeader: The 'X-Forwarded-For' header isn't required by the
+# HTTP RFC, but is a common method for identifying the originating
+# IP address of a client connecting to a web server through an HTTP
+# proxy or load balancer. Though, using this is a security concern.
+# So we disable it by default.
+#
+DisableXffHeader Yes
+
 #
 # Filter: This allows you to specify the location of the filter file.
 #

diff --git a/src/conf.c b/src/conf.c
@@ -156,6 +156,7 @@ static HANDLE_FUNC (handle_timeout);
 static HANDLE_FUNC (handle_user);
 static HANDLE_FUNC (handle_viaproxyname);
 static HANDLE_FUNC (handle_disableviaheader);
+static HANDLE_FUNC (handle_disablexffheader);
 static HANDLE_FUNC (handle_xtinyproxy);
 
 #ifdef UPSTREAM_SUPPORT
@@ -205,11 +206,12 @@ struct {
         STDCONF ("defaulterrorfile", STR, handle_defaulterrorfile),
         STDCONF ("statfile", STR, handle_statfile),
         STDCONF ("stathost", STR, handle_stathost),
-        STDCONF ("xtinyproxy",  BOOL, handle_xtinyproxy),
         /* boolean arguments */
         STDCONF ("syslog", BOOL, handle_syslog),
         STDCONF ("bindsame", BOOL, handle_bindsame),
         STDCONF ("disableviaheader", BOOL, handle_disableviaheader),
+        STDCONF ("disablexffheader", BOOL, handle_disablexffheader),
+        STDCONF ("xtinyproxy",  BOOL, handle_xtinyproxy),
         /* integer arguments */
         STDCONF ("port", INT, handle_port),
         STDCONF ("maxclients", INT, handle_maxclients),
@@ -736,6 +738,19 @@ static HANDLE_FUNC (handle_disableviaheader)
         return 0;
 }
 
+static HANDLE_FUNC (handle_disablexffheader)
+{
+        int r = set_bool_arg (&conf->disable_xffheader, line, &match[2]);
+
+        if (r) {
+                return r;
+        }
+
+        log_message (LOG_INFO,
+                     "Disabling transmission of the \"X-Forwarded-For\" header.");
+        return 0;
+}
+
 static HANDLE_FUNC (handle_defaulterrorfile)
 {
         return set_string_arg (&conf->errorpage_undef, line, &match[2]);

diff --git a/src/conf.h b/src/conf.h
@@ -77,6 +77,8 @@ struct config_s {
 
         unsigned int disable_viaheader; /* boolean */
 
+        unsigned int disable_xffheader; /* boolean */
+
         /*
          * Error page support.  Map error numbers to file paths.
          */

diff --git a/src/reqs.c b/src/reqs.c
@@ -923,17 +923,20 @@ process_client_headers (struct conn_s *connptr, hashmap_t hashofheaders)
                                      NULL);
                 goto PULL_CLIENT_DATA;
         }
-        /* Send new or appended the 'X-Forwarded-For' header */
-        ret = write_xff_header(connptr->server_fd, hashofheaders,
-                               connptr->client_ip_addr);
-        if (ret < 0) {
-                indicate_http_error(connptr, 503,
-                                    "Could not send data to remote server",
-                                    "detail",
-                                    "A network error occurred while "
-                                    "trying to write data to the remote web server.",
-                                    NULL);
-                goto PULL_CLIENT_DATA;
+
+        if (!config.disable_xffheader) {
+                /* Send new or appended the 'X-Forwarded-For' header */
+                ret = write_xff_header(connptr->server_fd, hashofheaders,
+                                       connptr->client_ip_addr);
+                if (ret < 0) {
+                        indicate_http_error(connptr, 503,
+                                            "Could not send data to remote server",
+                                            "detail",
+                                            "A network error occurred while "
+                                            "trying to write data to the remote web server.",
+                                            NULL);
+                        goto PULL_CLIENT_DATA;
+                }
         }
 
         /*
@@ -1096,11 +1099,14 @@ static int process_server_headers (struct conn_s *connptr)
                                 connptr->protocol.minor);
         if (ret < 0)
                 goto ERROR_EXIT;
-        /* Send new or appended the 'X-Forwarded-For' header */
-        ret = write_xff_header(connptr->client_fd, hashofheaders,
-                               connptr->server_ip_addr);
-        if (ret < 0)
-                goto ERROR_EXIT;
+
+        if (!config.disable_xffheader) {
+                /* Send new or appended the 'X-Forwarded-For' header */
+                ret = write_xff_header(connptr->client_fd, hashofheaders,
+                                       connptr->server_ip_addr);
+                if (ret < 0)
+                        goto ERROR_EXIT;
+        }
 
 #ifdef REVERSE_SUPPORT
         /* Write tracking cookie for the magical reverse proxy path hack */
-Original file line number
+Diff line change
@@ Expand Up / @@ -77,6 +77,8 @@ struct config_s { @@
             unsigned int disable_viaheader; /* boolean */
+            unsigned int disable_xffheader; /* boolean */
             /*
              * Error page support.  Map error numbers to file paths.
              */
@@ Expand Down @@