trust X-Forwarded-* headers

[hmoffatt]

Hi,
Since upgrading Debian recently I have a new mod_auth_openidc which has started to complain about unexpected X-Forwarded-* headers, as I haven't configured mod_auth_openidc to use them. I have the Cloudflare proxy in front of my sites which is injecting these headers.

Some other applications can be configured to only use those headers if the connection comes from whitelisted IP address. This prevents direct access (avoiding the proxy) injecting faked proxy information. For example Apache HTTPD mod_remoteip can be configured to use the client IP address from X-Forwarded-For (or CF-Connecting-IP) if it comes from an IP on the whitelist.

I don't see any option in mod_auth_openidc to check the source IP before using these headers. Is this a security risk?

Secondly, what does mod_auth_openidc use these headers for anyway? I already use mod_remoteip to get the true remote IP. Everything works ok. But then my external proto/host/port is always the same as the internal ones anyway.

[zandbelt]

typically you'd only use X-Forwarded-* when you're behind a reverse proxy and that reverse proxy (one or more) would be the only way to access mod_auth_openidc, hence there's typically no need to add an additional source IP check; the X-Forwarded-* headers are used to determine the "outer" hostname, port and protocol that the proxy serves on behalf of mod_auth_openidc, see: https://github.com/OpenIDC/mod_auth_openidc/wiki#8-how-do-i-run-mod_auth_openidc-behind-a-reverse-proxy

[hmoffatt]

If I set OIDCXForwardedHeaders none, will it stop logging about the headers that are present? As the external proto and port are the same as the internal, I don't think I need the headers to be processed.

[zandbelt]

if you want to get rid of the log messages but you don't want to remove the headers from the incoming request, then it is better to just use/configure them, it won't hurt, assuming they contain correct information about the external URL