From e446234e9c2512b01040fffcefc429a8d974808e Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 6 Aug 2025 10:08:30 -0700 Subject: [PATCH] remove spoof-able request header (#7103) * remove spoof-able request header https://github.com/seaweedfs/seaweedfs/issues/7094#issuecomment-3158320497 * Update weed/security/guard.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- weed/security/guard.go | 30 ++---------------------------- weed/server/master_server.go | 6 ------ 2 files changed, 2 insertions(+), 34 deletions(-) diff --git a/weed/security/guard.go b/weed/security/guard.go index a857c8549..a41cb0288 100644 --- a/weed/security/guard.go +++ b/weed/security/guard.go @@ -77,34 +77,8 @@ func (g *Guard) WhiteList(f http.HandlerFunc) http.HandlerFunc { } func GetActualRemoteHost(r *http.Request) string { - // Check X-Forwarded-For headers first (may contain comma-separated IPs) - // HTTP_X_FORWARDED_FOR is used for SeaweedFS internal communication when master proxies to leader - host := r.Header.Get("HTTP_X_FORWARDED_FOR") - if host == "" { - host = r.Header.Get("X-FORWARDED-FOR") - } - if host != "" { - for _, ipStr := range strings.Split(host, ",") { - host = strings.TrimSpace(ipStr) - if host != "" { - break - } - } - } - - // If no valid IP from X-Forwarded-For, try X-Real-IP (single IP) - if host == "" { - host = r.Header.Get("X-Real-IP") - } - - // If we got a host from headers, use it (can be IP or hostname) - if host != "" { - if host = strings.TrimSpace(host); host != "" { - return host - } - } - - // If no host from headers, extract from RemoteAddr + // For security reasons, only use RemoteAddr to determine the client's IP address. + // Do not trust headers like X-Forwarded-For, as they can be easily spoofed by clients. host, _, err := net.SplitHostPort(r.RemoteAddr) if err == nil { return host diff --git a/weed/server/master_server.go b/weed/server/master_server.go index 7d0d6f938..52d0f996b 100644 --- a/weed/server/master_server.go +++ b/weed/server/master_server.go @@ -257,12 +257,6 @@ func (ms *MasterServer) proxyToLeader(f http.HandlerFunc) http.HandlerFunc { // proxy to leader glog.V(4).Infoln("proxying to leader", raftServerLeader) proxy := httputil.NewSingleHostReverseProxy(targetUrl) - director := proxy.Director - proxy.Director = func(req *http.Request) { - actualHost := security.GetActualRemoteHost(req) - req.Header.Set("HTTP_X_FORWARDED_FOR", actualHost) - director(req) - } proxy.Transport = util_http.GetGlobalHttpClient().GetClientTransport() proxy.ServeHTTP(w, r) }